1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
|
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 19 Sep 2018 14:30:33 +0200
Subject: [5/8] CVE-2018-10933: Check channel state when OPEN_CONFIRMATION
arrives
Origin: https://git.libssh.org/projects/libssh.git/commit/?id=3837a0547f08b160749fed7496316a62d6c11dea
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10933
Bug-Debian: https://bugs.debian.org/911149
When a SSH2_MSG_OPEN_CONFIRMATION arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.
Fixes T101
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
src/channels.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/channels.c b/src/channels.c
index 30c314683c9b..d5d36af5ead2 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -170,6 +170,15 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
"Received a CHANNEL_OPEN_CONFIRMATION for channel %d:%d",
channel->local_channel,
channel->remote_channel);
+
+ if (channel->state != SSH_CHANNEL_STATE_OPENING) {
+ SSH_LOG(SSH_LOG_RARE,
+ "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION received in incorrect "
+ "channel state %d",
+ channel->state);
+ goto error;
+ }
+
SSH_LOG(SSH_LOG_PROTOCOL,
"Remote window : %lu, maxpacket : %lu",
(long unsigned int) channel->remote_window,
--
2.19.1
|