From 77ef6379a5209c0ff9d30c8ff8f376910d522a44 Mon Sep 17 00:00:00 2001
From: Nuhiat-Arefin <nuhiatarefin@gmail.com>
Date: Wed, 15 Apr 2026 22:52:45 +0600
Subject: [PATCH] config: reject too small RekeyLimit values

OpenSSH rejects non zero RekeyLimit data values below 16 bytes. Match that behavior in libssh.

Signed-off-by: Nuhiat-Arefin <nuhiatarefin@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Merge-Request: <https://gitlab.com/libssh/libssh-mirror/-/merge_requests/815>
---
 src/config.c                     |  1 +
 tests/unittests/torture_config.c | 36 ++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/src/config.c b/src/config.c
index 84681bd3..8f21d1b7 100644
--- a/src/config.c
+++ b/src/config.c
@@ -1672,6 +1672,7 @@ static int ssh_config_parse_line_internal(ssh_session session,
             }
         }
         CHECK_COND_OR_FAIL(ll < 0, "Invalid data limit");
+        CHECK_COND_OR_FAIL(ll > 0 && ll < 16, "RekeyLimit too small");
         if (*parsing) {
             uint64_t v = (uint64_t)ll;
             ssh_options_set(session, SSH_OPTIONS_REKEY_DATA, &v);
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
index 09af7a46..43494da6 100644
--- a/tests/unittests/torture_config.c
+++ b/tests/unittests/torture_config.c
@@ -2225,6 +2225,9 @@ static void torture_config_rekey(void **state,
                                  const char *file, const char *string)
 {
     ssh_session session = *state;
+    const char *config = NULL;
+    const uint64_t previous_rekey_data = 64;
+    const int previous_rekey_time_ms = 42 * 60 * 1000;
 
     /* Default values */
     ssh_options_set(session, SSH_OPTIONS_HOST, "default");
@@ -2289,6 +2292,39 @@ static void torture_config_rekey(void **state,
     assert_int_equal(session->opts.rekey_data, 0);
     assert_int_equal(session->opts.rekey_time, 9600 * 1000);
 
+    config = "Host data-too-small\n"
+             "\tRekeyLimit 1 1h\n";
+    if (file != NULL) {
+        torture_write_file(file, config);
+    } else {
+        string = config;
+    }
+
+    torture_reset_config(session);
+    /* Invalid RekeyLimit values should leave the previous settings untouched.
+     */
+    session->opts.rekey_data = previous_rekey_data;
+    session->opts.rekey_time = previous_rekey_time_ms;
+    ssh_options_set(session, SSH_OPTIONS_HOST, "data-too-small");
+    _parse_config(session, file, string, SSH_OK);
+    assert_int_equal(session->opts.rekey_data, previous_rekey_data);
+    assert_int_equal(session->opts.rekey_time, previous_rekey_time_ms);
+
+    config = "Host data-under-minimum\n"
+             "\tRekeyLimit 15 none\n";
+    if (file != NULL) {
+        torture_write_file(file, config);
+    } else {
+        string = config;
+    }
+
+    torture_reset_config(session);
+    session->opts.rekey_data = 128;
+    session->opts.rekey_time = 21 * 60 * 1000;
+    ssh_options_set(session, SSH_OPTIONS_HOST, "data-under-minimum");
+    _parse_config(session, file, string, SSH_OK);
+    assert_int_equal(session->opts.rekey_data, 128);
+    assert_int_equal(session->opts.rekey_time, 21 * 60 * 1000);
 }
 
 /**