From c67b05b269d24d6a60a1843f49bb0242461cf4b0 Mon Sep 17 00:00:00 2001
From: Peter Wagner <tripolar@gmx.at>
Date: Mon, 3 Oct 2016 21:38:15 +0200
Subject: [PATCH] openssh: move inbound NEWKEYS handling to kex layer;
 otherwise early NEWKEYS causes NULL deref

see: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737

Signed-off-by: Peter Wagner <tripolar@gmx.at>
---
 net/openssh/Makefile                          |  2 +-
 ...00-openssh-7.3_p1-NEWKEYS_null_deref.patch | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch

diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 3134e9290..10eb434f5 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=7.3p1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch b/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch
new file mode 100644
index 000000000..27e99b2fb
--- /dev/null
+++ b/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch
@@ -0,0 +1,27 @@
+Backport of
+https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
+
+--- openssh-7.3p1/kex.c
++++ openssh-7.3p1/kex.c
+@@ -419,6 +419,8 @@
+ 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		return r;
++	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
++		return r;
+ 	kex->done = 1;
+ 	sshbuf_reset(kex->peer);
+ 	/* sshbuf_reset(kex->my); */
+--- openssh-7.3p1/packet.c
++++ openssh-7.3p1/packet.c
+@@ -1919,9 +1919,7 @@
+ 			return r;
+ 		return SSH_ERR_PROTOCOL_ERROR;
+ 	}
+-	if (*typep == SSH2_MSG_NEWKEYS)
+-		r = ssh_set_newkeys(ssh, MODE_IN);
+-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
++	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ 		r = ssh_packet_enable_delayed_compress(ssh);
+ 	else
+ 		r = 0;