summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2018-09-07 17:12:01 +0200
committerAndreas Schneider <asn@cryptomilk.org>2018-10-16 09:19:03 +0200
commit68b0c7a93448123cc0d6a04d3df40d92a3fd0a67 (patch)
tree863f51730f20012d62c76406f82e1010d5ccd020
parent459868c4a57d2d11cf7835655a8d1a5cf034ccb4 (diff)
downloadlibssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.tar.gz
libssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.tar.xz
libssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.zip
CVE-2018-10933: Check channel state when OPEN_FAILURE arrives
When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked to be in SSH_CHANNEL_STATE_OPENING. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/channels.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/channels.c b/src/channels.c
index b26f6bd4..0e61e5cd 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -220,6 +220,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
return SSH_PACKET_USED;
}
+ if (channel->state != SSH_CHANNEL_STATE_OPENING) {
+ SSH_LOG(SSH_LOG_RARE,
+ "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel "
+ "state %d",
+ channel->state);
+ goto error;
+ }
+
ssh_set_error(session, SSH_REQUEST_DENIED,
"Channel opening failure: channel %u error (%lu) %s",
channel->local_channel,
@@ -228,6 +236,10 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
SAFE_FREE(error);
channel->state=SSH_CHANNEL_STATE_OPEN_DENIED;
return SSH_PACKET_USED;
+
+error:
+ ssh_set_error(session, SSH_FATAL, "Invalid packet");
+ return SSH_PACKET_USED;
}
static int ssh_channel_open_termination(void *c){