Skip to content

Commit ec165c3

Browse files
mfriedldjmdjm
authored andcommitted
upstream commit
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
1 parent 29d4031 commit ec165c3

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

Diff for: kex.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
1+
/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
22
/*
33
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
44
*
@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
481481
if (kex == NULL)
482482
return SSH_ERR_INVALID_ARGUMENT;
483483

484+
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
484485
ptr = sshpkt_ptr(ssh, &dlen);
485486
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
486487
return r;

0 commit comments

Comments
 (0)