Don't count the initial block twice when computing how many bytes

to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL

1 files changed, 3 insertions, 3 deletions

diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c
index 4b87a808878..f9b02fca09b 100644
--- a/usr.bin/ssh/packet.c
+++ b/usr.bin/ssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.246 2017/02/28 06:10:08 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.247 2017/03/11 13:07:35 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1838,11 +1838,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			if (r != SSH_ERR_MAC_INVALID)
 				goto out;
 			logit("Corrupted MAC on input.");
-			if (need > PACKET_MAX_SIZE)
+			if (need + block_size > PACKET_MAX_SIZE)
 				return SSH_ERR_INTERNAL_ERROR;
 			return ssh_packet_start_discard(ssh, enc, mac,
 			    sshbuf_len(state->incoming_packet),
-			    PACKET_MAX_SIZE - need);
+			    PACKET_MAX_SIZE - need - block_size);
 		}
 		/* Remove MAC from input buffer */
 		DBG(debug("MAC #%d ok", state->p_read.seqnr));