move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes

NULL deref; found by Robert Swiecki/honggfuzz; fixed with & ok djm@

2 files changed, 5 insertions, 5 deletions

diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c
index f60711cf9fb..2298edb73e8 100644
--- a/usr.bin/ssh/kex.c
+++ b/usr.bin/ssh/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.121 2016/09/12 23:31:27 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.122 2016/09/19 19:02:19 markus Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -405,6 +405,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		return r;
+	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+		return r;
 	kex->done = 1;
 	sshbuf_reset(kex->peer);
 	/* sshbuf_reset(kex->my); */
diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c
index 612317e2438..9c340f5620e 100644
--- a/usr.bin/ssh/packet.c
+++ b/usr.bin/ssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.237 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: packet.c,v 1.238 2016/09/19 19:02:19 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1895,9 +1895,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			return r;
 		return SSH_ERR_PROTOCOL_ERROR;
 	}
-	if (*typep == SSH2_MSG_NEWKEYS)
-		r = ssh_set_newkeys(ssh, MODE_IN);
-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 		r = ssh_packet_enable_delayed_compress(ssh);
 	else
 		r = 0;