nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
Code Issues Projects Releases Wiki Activity

Uppity: clear the right KEXINIT packet at kex startup!

Browse Source 
Just spotted this in eyeball review: we're about to construct our new
outgoing KEXINIT and write it into the strbuf s->outgoing_kexinit. So
we should clear that strbuf first. But in fact we were clearing
s->client_kexinit, which aliases s->outgoing_kexinit in an SSH client,
but in a server, aliases s->incoming_kexinit.

This was harmless in PuTTY (since the strbuf we cleared was the right
one anyway). And it was harmless in Uppity's initial kex (since the
strbuf we _meant_ to clear was empty anyway). But if Uppity had ever
initiated a rekey, this would have exploded messily.
This commit is contained in:
Simon Tatham 2022-09-10 10:19:03 +01:00
parent dc875ca0dc
commit 9af705352d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssh/transport2.c
View File

@ -1375,7 +1375,7 @@ static void ssh2_transport_process_queue(PacketProtocolLayer *ppl)
* Construct our KEXINIT packet, in a strbuf so we can refer to it * Construct our KEXINIT packet, in a strbuf so we can refer to it
* later. * later.
*/ */
strbuf_clear(s->client_kexinit); strbuf_clear(s->outgoing_kexinit);
put_byte(s->outgoing_kexinit, SSH2_MSG_KEXINIT); put_byte(s->outgoing_kexinit, SSH2_MSG_KEXINIT);
random_read(strbuf_append(s->outgoing_kexinit, 16), 16); random_read(strbuf_append(s->outgoing_kexinit, 16), 16);
ssh2_write_kexinit_lists( ssh2_write_kexinit_lists(