File openssh-7.2p2-out_of_seq_newkeys.patch of Package openssh.8445

# HG changeset patch
# Parent  1330feee0866ef695507f4ed46ad0d34dea185e7
CVE-2016-10708
bsc#1076957 

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via an out-of-sequence
NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

upstream commit 28652bca29046f62c7045e933e6b931de1d16737

diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
--- a/openssh-7.2p2/kex.c
+++ b/openssh-7.2p2/kex.c
@@ -473,16 +473,18 @@ kex_input_newkeys(int type, u_int32_t se
 	struct ssh *ssh = ctxt;
 	struct kex *kex = ssh->kex;
 	int r;
 
 	debug("SSH2_MSG_NEWKEYS received");
 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		return r;
+	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+		return r;
 	kex->done = 1;
 	sshbuf_reset(kex->peer);
 	/* sshbuf_reset(kex->my); */
 	kex->flags &= ~KEX_INIT_SENT;
 	free(kex->name);
 	kex->name = NULL;
 	return 0;
 }
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
--- a/openssh-7.2p2/packet.c
+++ b/openssh-7.2p2/packet.c
@@ -1793,19 +1793,17 @@ ssh_packet_read_poll2(struct ssh *ssh, u
 		debug3("receive packet: type %u", *typep);
 	if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) {
 		if ((r = sshpkt_disconnect(ssh,
 		    "Invalid ssh2 packet type: %d", *typep)) != 0 ||
 		    (r = ssh_packet_write_wait(ssh)) != 0)
 			return r;
 		return SSH_ERR_PROTOCOL_ERROR;
 	}
-	if (*typep == SSH2_MSG_NEWKEYS)
-		r = ssh_set_newkeys(ssh, MODE_IN);
-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 		r = ssh_packet_enable_delayed_compress(ssh);
 	else
 		r = 0;
 #ifdef PACKET_DEBUG
 	fprintf(stderr, "read/plain[%d]:\r\n", *typep);
 	sshbuf_dump(state->incoming_packet, stderr);
 #endif
 	/* reset for next packet */