From 9e55023e8bcc72117ff161015c9ce728397d2366 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 15 Apr 2015 16:08:37 +0200
Subject: [PATCH 1/2] CVE-2015-3146: Fix invalid state validation in
 SSH_MSG_NEWKEYS

The issue has been found and reported by Mariusz Ziule.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/packet_cb.c | 14 +++++++++-----
 src/server.c    |  8 +++++---
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/packet_cb.c b/src/packet_cb.c
index 17e39a4..d5041db 100644
--- a/src/packet_cb.c
+++ b/src/packet_cb.c
@@ -138,12 +138,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
   (void)user;
   (void)type;
   SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
-  if(session->session_state!= SSH_SESSION_STATE_DH &&
-		session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
-	ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
-			session->session_state,session->dh_handshake_state);
-	goto error;
+
+  if (session->session_state != SSH_SESSION_STATE_DH ||
+      session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) {
+      ssh_set_error(session,
+                    SSH_FATAL,
+                    "ssh_packet_newkeys called in wrong state : %d:%d",
+                    session->session_state,session->dh_handshake_state);
+      goto error;
   }
+
   if(session->server){
     /* server things are done in server.c */
     session->dh_handshake_state=DH_STATE_FINISHED;
diff --git a/src/server.c b/src/server.c
index 61641a6..0114576 100644
--- a/src/server.c
+++ b/src/server.c
@@ -172,7 +172,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
 }
 
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
-  int rc;
+  int rc = SSH_ERROR;
   (void)type;
   (void)user;
 
@@ -209,9 +209,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
         ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
         rc = SSH_ERROR;
   }
-  if (rc == SSH_ERROR)
+
+error:
+  if (rc == SSH_ERROR) {
       session->session_state = SSH_SESSION_STATE_ERROR;
-  error:
+  }
 
   return SSH_PACKET_USED;
 }
-- 
2.3.5


From 5a0cc54e104741c715cae95fc6176d72323b5f02 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 15 Apr 2015 16:25:29 +0200
Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference

This is an addition to CVE-2015-3146 to fix the null pointer
dereference. The patch is not required to fix the CVE but prevents
issues in future.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/buffer.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/buffer.c b/src/buffer.c
index cb4b661..2e8649f 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -224,6 +224,10 @@ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint
 {
   buffer_verify(buffer);
 
+  if (data == NULL) {
+      return -1;
+  }
+
   if (buffer->used + len < len) {
     return -1;
   }
@@ -257,6 +261,10 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer,
     struct ssh_string_struct *string) {
   uint32_t len = 0;
 
+  if (string == NULL) {
+      return -1;
+  }
+
   len = ssh_string_len(string);
   if (ssh_buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
     return -1;
-- 
2.3.5

