upstream commit

Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL

Upstream-ID: f445f509a4e0a7ba3b9c0dae7311cb42458dc1e2

diff --git a/packet.c b/packet.c
index 01e2d45bdaf00145253d7df63fd35907c2587ca1..2f3a2ec7075c13f6d7a1e225b6df0ee553f83835 100644 (file)
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.246 2017/02/28 06:10:08 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.247 2017/03/11 13:07:35 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1850,11 +1850,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
                        if (r != SSH_ERR_MAC_INVALID)
                                goto out;
                        logit("Corrupted MAC on input.");
-                       if (need > PACKET_MAX_SIZE)
+                       if (need + block_size > PACKET_MAX_SIZE)
                                return SSH_ERR_INTERNAL_ERROR;
                        return ssh_packet_start_discard(ssh, enc, mac,
                            sshbuf_len(state->incoming_packet),
-                           PACKET_MAX_SIZE - need);
+                           PACKET_MAX_SIZE - need - block_size);
                }
                /* Remove MAC from input buffer */
                DBG(debug("MAC #%d ok", state->p_read.seqnr));