diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-gss.c openssh-7.5p1-CVE-2018-15473/auth2-gss.c --- openssh-7.5p1/auth2-gss.c 2018-08-22 19:17:35.750907742 +0200 +++ openssh-7.5p1-CVE-2018-15473/auth2-gss.c 2018-08-22 19:18:29.481548784 +0200 @@ -103,9 +103,6 @@ u_int len; u_char *doid = NULL; - if (!authctxt->valid || authctxt->user == NULL) - return (0); - mechs = packet_get_int(); if (mechs == 0) { debug("Mechanism negotiation is not supported"); @@ -136,6 +133,12 @@ return (0); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + free(doid); + return (0); + } + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { if (ctxt != NULL) ssh_gssapi_delete_ctx(&ctxt); diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-hostbased.c openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c --- openssh-7.5p1/auth2-hostbased.c 2018-08-22 19:17:35.751907735 +0200 +++ openssh-7.5p1-CVE-2018-15473/auth2-hostbased.c 2018-08-22 19:18:45.138444637 +0200 @@ -66,10 +66,6 @@ int pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("userauth_hostbased: disabled because of invalid user"); - return 0; - } pkalg = packet_get_string(&alen); pkblob = packet_get_string(&blen); chost = packet_get_string(NULL); @@ -115,6 +111,11 @@ goto done; } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", __func__); + goto done; + } + service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); diff -Naur -x '*~' -x '*.orig' -x '*.rej' openssh-7.5p1/auth2-pubkey.c openssh-7.5p1-CVE-2018-15473/auth2-pubkey.c --- openssh-7.5p1/auth2-pubkey.c 2018-08-22 19:17:35.751907735 +0200 +++ openssh-7.5p1-CVE-2018-15473/auth2-pubkey.c 2018-08-22 19:20:31.232742225 +0200 @@ -79,16 +79,12 @@ { Buffer b; Key *key = NULL; - char *pkalg, *userstyle, *pubkey, *fp = NULL; - u_char *pkblob, *sig; + char *pkalg = NULL, *userstyle = NULL, *pubkey = NULL, *fp = NULL; + u_char *pkblob = NULL, *sig = NULL; u_int alen, blen, slen; int have_sig, pktype; int authenticated = 0; - if (!authctxt->valid) { - debug2("%s: disabled because of invalid user", __func__); - return 0; - } have_sig = packet_get_char(); if (datafellows & SSH_BUG_PKAUTH) { debug2("%s: SSH_BUG_PKAUTH", __func__); @@ -149,6 +145,12 @@ } else { buffer_put_string(&b, session_id2, session_id2_len); } + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + buffer_free(&b); + goto done; + } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); xasprintf(&userstyle, "%s%s%s", authctxt->user, @@ -188,12 +190,16 @@ free(pubkey); } buffer_free(&b); - free(sig); } else { debug("%s: test whether pkalg/pkblob are acceptable for %s %s", __func__, sshkey_type(key), fp); packet_check_eom(); + if (!authctxt->valid || authctxt->user == NULL) { + debug2("%s: disabled because of invalid user", + __func__); + goto done; + } /* XXX fake reply and always send PK_OK ? */ /* * XXX this allows testing whether a user is allowed @@ -220,6 +226,7 @@ free(pkalg); free(pkblob); free(fp); + free(sig); return authenticated; }