diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2018-09-07 17:12:01 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-10-16 09:19:03 +0200 |
commit | 68b0c7a93448123cc0d6a04d3df40d92a3fd0a67 (patch) | |
tree | 863f51730f20012d62c76406f82e1010d5ccd020 /src/channels.c | |
parent | 459868c4a57d2d11cf7835655a8d1a5cf034ccb4 (diff) | |
download | libssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.tar.gz libssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.tar.xz libssh-68b0c7a93448123cc0d6a04d3df40d92a3fd0a67.zip |
CVE-2018-10933: Check channel state when OPEN_FAILURE arrives
When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.
Fixes T101
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/channels.c')
-rw-r--r-- | src/channels.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/channels.c b/src/channels.c index b26f6bd4..0e61e5cd 100644 --- a/src/channels.c +++ b/src/channels.c @@ -220,6 +220,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ return SSH_PACKET_USED; } + if (channel->state != SSH_CHANNEL_STATE_OPENING) { + SSH_LOG(SSH_LOG_RARE, + "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel " + "state %d", + channel->state); + goto error; + } + ssh_set_error(session, SSH_REQUEST_DENIED, "Channel opening failure: channel %u error (%lu) %s", channel->local_channel, @@ -228,6 +236,10 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ SAFE_FREE(error); channel->state=SSH_CHANNEL_STATE_OPEN_DENIED; return SSH_PACKET_USED; + +error: + ssh_set_error(session, SSH_FATAL, "Invalid packet"); + return SSH_PACKET_USED; } static int ssh_channel_open_termination(void *c){ |