1486 – Improperly used buffer during KEX

Bug 1486 - Improperly used buffer during KEX

Summary: Improperly used buffer during KEX

Status:	CLOSED INVALID

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	5.0p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-07-12 21:40 AEST by Georgi Chulkov
Modified:	2011-01-24 12:33 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Georgi Chulkov 2008-07-12 21:40:37 AEST

In kex.c:kex_input_kexinit, when a packet with the other side's KEX proposal is received, it is appended into a buffer that has not been cleared first. This could lead to problems - in particular, if that buffer already contains an old peer proposal, the new one will be appended but the old one will be silently used instead.

The code is currently:

    ptr = packet_get_raw(&dlen);
    buffer_append(&kex->peer, ptr, dlen);

but should be:

    ptr = packet_get_raw(&dlen);
    buffer_clear(&kex->peer);
    buffer_append(&kex->peer, ptr, dlen);

Comment 1 Damien Miller 2010-04-24 11:06:32 AEST

input_kexinit calls the kex method on completion, which clears kex->peer so your case cannot happen.

Comment 2 Damien Miller 2011-01-24 12:33:33 AEDT

Move resolved bugs to CLOSED after 5.7 release