From e5ff7aa410c23954a2963b52e7b721a2d41536f3 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 19 Sep 2018 14:37:40 +0200
Subject: [PATCH] CVE-2018-10933: Check channel state when OPEN_FAILURE arrives

When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.

Fixes T101

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 src/channels.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/channels.c b/src/channels.c
index d5d36af5..538956dd 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -219,6 +219,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
       return SSH_PACKET_USED;
   }
 
+  if (channel->state != SSH_CHANNEL_STATE_OPENING) {
+      SSH_LOG(SSH_LOG_RARE,
+              "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel "
+              "state %d",
+              channel->state);
+      goto error;
+  }
+
   ssh_set_error(session, SSH_REQUEST_DENIED,
       "Channel opening failure: channel %u error (%lu) %s",
       channel->local_channel,
@@ -226,6 +234,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
       error);
   SAFE_FREE(error);
   channel->state=SSH_CHANNEL_STATE_OPEN_DENIED;
+
+error:
+  ssh_set_error(session, SSH_FATAL, "Invalid packet");
   return SSH_PACKET_USED;
 }