| Summary: | Improperly used buffer during KEX | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Georgi Chulkov <godji> |
| Component: | Miscellaneous | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED INVALID | ||
| Severity: | normal | CC: | djm |
| Priority: | P2 | ||
| Version: | 5.0p1 | ||
| Hardware: | All | ||
| OS: | All | ||
input_kexinit calls the kex method on completion, which clears kex->peer so your case cannot happen. Move resolved bugs to CLOSED after 5.7 release |
In kex.c:kex_input_kexinit, when a packet with the other side's KEX proposal is received, it is appended into a buffer that has not been cleared first. This could lead to problems - in particular, if that buffer already contains an old peer proposal, the new one will be appended but the old one will be silently used instead. The code is currently: ptr = packet_get_raw(&dlen); buffer_append(&kex->peer, ptr, dlen); but should be: ptr = packet_get_raw(&dlen); buffer_clear(&kex->peer); buffer_append(&kex->peer, ptr, dlen);