Check min and max sizes sent by the client against what we support before

passing them to the monitor.  ok djm@

1 files changed, 9 insertions, 9 deletions

diff --git a/usr.bin/ssh/kexgexs.c b/usr.bin/ssh/kexgexs.c
index b0740885e17..faea39a70a1 100644
--- a/usr.bin/ssh/kexgexs.c
+++ b/usr.bin/ssh/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.27 2016/05/31 23:46:14 dtucker Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.28 2016/06/01 04:19:49 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -78,21 +78,21 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
 	kex->nbits = nbits;
 	kex->min = min;
 	kex->max = max;
-	min = MAX(DH_GRP_MIN, min);
-	max = MIN(DH_GRP_MAX, max);
-	nbits = MAX(DH_GRP_MIN, nbits);
-	nbits = MIN(DH_GRP_MAX, nbits);
-
 	if (kex->max < kex->min || kex->nbits < kex->min ||
-	    kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
+	    kex->max < kex->nbits || kex->max < DH_GRP_MIN ||
+	    kex->min > DH_GRP_MAX) {
 		r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
 		goto out;
 	}
+	kex->min = MAX(DH_GRP_MIN, kex->min);
+	kex->max = MIN(DH_GRP_MAX, kex->max);
+	kex->nbits = MAX(DH_GRP_MIN, kex->nbits);
+	kex->nbits = MIN(DH_GRP_MAX, kex->nbits);
 
 	/* Contact privileged parent */
-	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
+	kex->dh = PRIVSEP(choose_dh(kex->min, kex->nbits, kex->max));
 	if (kex->dh == NULL) {
-		sshpkt_disconnect(ssh, "no matching DH grp found");
+		sshpkt_disconnect(ssh, "no matching DH group found");
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}