From: djm@openbsd.org <djm@openbsd.org>
Date: Sun, 8 Nov 2015 21:59:11 +0000 (+0000)
Subject: upstream commit
X-Git-Tag: V_7_2_P1~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fecfd486bdba9f51b3a789277bb0733ca36e1c0;p=thirdparty%2Fopenssh-portable.git

upstream commit

fix OOB read in packet code caused by missing return
 statement found by Ben Hawkes; ok markus@ deraadt@

Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
---

diff --git a/packet.c b/packet.c
index a0dbc2391..4f6433b47 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.216 2015/10/21 11:33:03 gsoares Exp $ */
+/* $OpenBSD: packet.c,v 1.217 2015/11/08 21:59:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			logit("Bad packet length %u.", state->packlen);
 			if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
 				return r;
+			return SSH_ERR_CONN_CORRUPT;
 		}
 		sshbuf_reset(state->incoming_packet);
 	} else if (state->packlen == 0) {