[openssh-commits] [openssh] 02/08: upstream: fix client use-after-free on error path if cipher_init()

git+noreply at mindrot.org git+noreply at mindrot.org
Sun May 31 15:04:05 AEST 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 1e82d2cfcfd05ec2e4515894a92223f40839c7b8
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sun May 31 04:24:39 2026 +0000

    upstream: fix client use-after-free on error path if cipher_init()
    
    fails; reported by Qualys Security Advisory Team, ok markus@
    
    OpenBSD-Commit-ID: a8731da0c462b2b9d11314ba505c26ee0cdada83
---
 packet.c | 7 ++++---
 ssh.c    | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/packet.c b/packet.c
index 8c1d313c2..53a29e338 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.335 2026/04/13 08:18:33 job Exp $ */
+/* $OpenBSD: packet.c,v 1.336 2026/05/31 04:24:39 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -302,7 +302,7 @@ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
 {
 	struct session_state *state;
 	const struct sshcipher *none = cipher_by_name("none");
-	int r;
+	int r, wasnull = ssh == NULL;
 
 	if (none == NULL) {
 		error_f("cannot load cipher 'none'");
@@ -323,7 +323,8 @@ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
 	    (r = cipher_init(&state->receive_context, none,
 	    (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0) {
 		error_fr(r, "cipher_init failed");
-		free(ssh); /* XXX need ssh_free_session_state? */
+		if (wasnull)
+			free(ssh); /* XXX need ssh_free_session_state? */
 		return NULL;
 	}
 	state->newkeys[MODE_IN] = state->newkeys[MODE_OUT] = NULL;
diff --git a/ssh.c b/ssh.c
index 531f28eb2..943e1908e 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.630 2026/04/02 07:50:55 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.631 2026/05/31 04:24:39 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1650,7 +1650,8 @@ main(int ac, char **av)
 	if (options.control_path != NULL) {
 		int sock;
 		if ((sock = muxclient(options.control_path)) >= 0) {
-			ssh_packet_set_connection(ssh, sock, sock);
+			if (ssh_packet_set_connection(ssh, sock, sock) == NULL)
+				fatal("ssh_packet_set_connection failed");
 			ssh_packet_set_mux(ssh);
 			goto skip_connect;
 		}

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list