From 445fa12da70b901a37a56779bb4179fe72156db1 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Tue, 10 Jul 2018 21:04:32 +0100
Subject: [PATCH] Fix duplicate packets in CBC mode.

Yesterday's reinstatement of ssh_free_pktout revealed - via valgrind
spotting the use-after-free - that the code that prefixed sensible
packets with IV-muddling SSH_MSG_IGNOREs was actually sending a second
copy of the sensible packet in place of the IGNORE, due to a typo.
---
 ssh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index dbc23c09..dd564c92 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1216,7 +1216,7 @@ static void ssh_pkt_write(Ssh ssh, PktOut *pkt)
          */
 	PktOut *ipkt = ssh_bpp_new_pktout(ssh->bpp, SSH2_MSG_IGNORE);
 	put_stringz(ipkt, "");
-        ssh_bpp_format_packet(ssh->bpp, pkt);
+        ssh_bpp_format_packet(ssh->bpp, ipkt);
     }
 
     ssh_bpp_format_packet(ssh->bpp, pkt);