Overview

File fix-CVE-2025-26465.patch of Package openssh.37508


diff --git a/krl.c b/krl.c
index 51a2871..4ecb2c7 100644
--- a/krl.c
+++ b/krl.c
@@ -672,6 +672,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
 			break;
 		case KRL_SECTION_CERT_SERIAL_BITMAP:
 			if (rs->lo - bitmap_start > INT_MAX) {
+				r = SSH_ERR_INVALID_FORMAT;
 				error("%s: insane bitmap gap", __func__);
 				goto out;
 			}
@@ -1057,6 +1058,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
 		goto out;
 
 	if ((krl = ssh_krl_init()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
 		error("%s: alloc failed", __func__);
 		goto out;
 	}
#diff --git a/packet.c b/packet.c
#index 72803fd..fa0f7ca 100644
#--- a/packet.c
#+++ b/packet.c
#@@ -1839,6 +1839,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
# 			if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
# 				return r;
# 			DBG(debug("Received SSH2_MSG_PING len %zu", len));
#+			if (!ssh->state->after_authentication) {
#+				DBG(debug("Won't reply to PING in preauth"));
#+				break;
#+			}
#+			if (ssh_packet_is_rekeying(ssh)) {
#+				DBG(debug("Won't reply to PING during KEX"));
#+				break;
#+			}
# 			if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
# 			    (r = sshpkt_put_string(ssh, d, len)) != 0 ||
# 			    (r = sshpkt_send(ssh)) != 0)
#diff --git a/ssh-agent.c b/ssh-agent.c
#index 73276f6..607c4a0 100644
#--- a/ssh-agent.c
#+++ b/ssh-agent.c
#@@ -1207,6 +1207,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
# 	    "restrict-destination-v00@openssh.com") == 0) {
# 		if (*dcsp != NULL) {
# 			error_f("%s already set", ext_name);
#+			r = SSH_ERR_INVALID_FORMAT;
# 			goto out;
# 		}
# 		if ((r = sshbuf_froms(m, &b)) != 0) {
#@@ -1216,6 +1217,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
# 		while (sshbuf_len(b) != 0) {
# 			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
# 				error_f("too many %s constraints", ext_name);
#+				r = SSH_ERR_INVALID_FORMAT;
# 				goto out;
# 			}
# 			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
#@@ -1233,6 +1235,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
# 		}
# 		if (*certs != NULL) {
# 			error_f("%s already set", ext_name);
#+			r = SSH_ERR_INVALID_FORMAT;
# 			goto out;
# 		}
# 		if ((r = sshbuf_get_u8(m, &v)) != 0 ||
#@@ -1244,6 +1247,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
# 		while (sshbuf_len(b) != 0) {
# 			if (*ncerts >= AGENT_MAX_EXT_CERTS) {
# 				error_f("too many %s constraints", ext_name);
#+				r = SSH_ERR_INVALID_FORMAT;
# 				goto out;
# 			}
# 			*certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
#@@ -1744,6 +1748,7 @@ process_ext_session_bind(SocketEntry *e)
# 	/* record new key/sid */
# 	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
# 		error_f("too many session IDs recorded");
#+		r = -1;
# 		goto out;
# 	}
# 	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index c00c633..27d27a2 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
#@@ -429,6 +429,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
# 		}
# 		if ((srk = calloc(1, sizeof(*srk))) == NULL) {
# 			error_f("calloc failed");
#+			r = SSH_ERR_ALLOC_FAIL;
# 			goto out;
# 		}
# 		srk->key = key;
@@ -440,6 +440,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
 		if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
 		    sizeof(*keys))) == NULL) {
 			error("%s: recallocarray keys failed", __func__);
+			r = SSH_ERR_ALLOC_FAIL;
 			goto out;
 		}
 		debug("%s: keys[%zu]: %s %s", __func__,
diff --git a/sshconnect2.c b/sshconnect2.c
index 9940833..9751b68 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -94,7 +94,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
 static int
 verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
 {
-	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
+	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
 		fatal("Host key verification failed.");
 	return 0;
 }
@@ -692,6 +692,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 
 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
 		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -702,6 +703,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 		error("input_userauth_pk_ok: type mismatch "
 		    "for decoded key (received %d, expected %d)",
 		    key->type, pktype);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 
@@ -721,6 +723,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
 		    SSH_FP_DEFAULT);
 		error("%s: server replied with unknown key: %s %s", __func__,
 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+		r = SSH_ERR_INVALID_FORMAT;
 		goto done;
 	}
 	ident = format_identity(id);
diff --git a/sshsig.c b/sshsig.c
index 72bbf73..a88e939 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -877,6 +877,7 @@ cert_filter_principals(const char *path, u_long linenum,
 	}
 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
 		error("%s: buffer error", __func__);
+		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 	/* success */
openSUSE Build Service is sponsored by
Places