From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 19 Sep 2018 14:30:33 +0200
Subject: [5/8] CVE-2018-10933: Check channel state when OPEN_CONFIRMATION
 arrives
Origin: https://git.libssh.org/projects/libssh.git/commit/?id=3837a0547f08b160749fed7496316a62d6c11dea
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10933
Bug-Debian: https://bugs.debian.org/911149

When a SSH2_MSG_OPEN_CONFIRMATION arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.

Fixes T101

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 src/channels.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/channels.c b/src/channels.c
index 30c314683c9b..d5d36af5ead2 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -170,6 +170,15 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
       "Received a CHANNEL_OPEN_CONFIRMATION for channel %d:%d",
       channel->local_channel,
       channel->remote_channel);
+
+  if (channel->state != SSH_CHANNEL_STATE_OPENING) {
+      SSH_LOG(SSH_LOG_RARE,
+              "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION received in incorrect "
+              "channel state %d",
+              channel->state);
+      goto error;
+  }
+
   SSH_LOG(SSH_LOG_PROTOCOL,
       "Remote window : %lu, maxpacket : %lu",
       (long unsigned int) channel->remote_window,
-- 
2.19.1