From 279f7f6e4cb8cc4baaf7c8f1ecc527e05d76bb28 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 1 Jun 2016 04:19:50 +0000 Subject: Check min and max sizes sent by the client against what we support before passing them to the monitor. ok djm@ --- usr.bin/ssh/kexgexs.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'usr.bin/ssh/kexgexs.c') diff --git a/usr.bin/ssh/kexgexs.c b/usr.bin/ssh/kexgexs.c index b0740885e17..faea39a70a1 100644 --- a/usr.bin/ssh/kexgexs.c +++ b/usr.bin/ssh/kexgexs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.27 2016/05/31 23:46:14 dtucker Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.28 2016/06/01 04:19:49 dtucker Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -78,21 +78,21 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt) kex->nbits = nbits; kex->min = min; kex->max = max; - min = MAX(DH_GRP_MIN, min); - max = MIN(DH_GRP_MAX, max); - nbits = MAX(DH_GRP_MIN, nbits); - nbits = MIN(DH_GRP_MAX, nbits); - if (kex->max < kex->min || kex->nbits < kex->min || - kex->max < kex->nbits || kex->max < DH_GRP_MIN) { + kex->max < kex->nbits || kex->max < DH_GRP_MIN || + kex->min > DH_GRP_MAX) { r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } + kex->min = MAX(DH_GRP_MIN, kex->min); + kex->max = MIN(DH_GRP_MAX, kex->max); + kex->nbits = MAX(DH_GRP_MIN, kex->nbits); + kex->nbits = MIN(DH_GRP_MAX, kex->nbits); /* Contact privileged parent */ - kex->dh = PRIVSEP(choose_dh(min, nbits, max)); + kex->dh = PRIVSEP(choose_dh(kex->min, kex->nbits, kex->max)); if (kex->dh == NULL) { - sshpkt_disconnect(ssh, "no matching DH grp found"); + sshpkt_disconnect(ssh, "no matching DH group found"); r = SSH_ERR_ALLOC_FAIL; goto out; } -- cgit v1.2.3