ssh_pkt_defersend: don't call do_ssh2_transport when using SSH-1.

Also add an assertion to do_ssh2_transport to catch this.

This bug would be highly unlikely to manifest accidentally, but I
think you could trigger it by setting the data-based rekey threshold
very low.

diff --git a/ssh.c b/ssh.c
index 4fbc01c023be435673f1fb58d34e9bc4f7225e09..ba5fed84d8b86a64a79b5beae10d1a0720a3a089 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -2521,13 +2521,15 @@ static void ssh_pkt_defersend(Ssh ssh)
     if (backlog > SSH_MAX_BACKLOG)
        ssh_throttle_all(ssh, 1, backlog);
 
-    ssh->outgoing_data_size += ssh->deferred_data_size;
-    if (!ssh->kex_in_progress &&
-        !ssh->bare_connection &&
-       ssh->max_data_size != 0 &&
-       ssh->outgoing_data_size > ssh->max_data_size)
-       do_ssh2_transport(ssh, "too much data sent", -1, NULL);
-    ssh->deferred_data_size = 0;
+    if (ssh->version == 2) {
+       ssh->outgoing_data_size += ssh->deferred_data_size;
+       ssh->deferred_data_size = 0;
+       if (!ssh->kex_in_progress &&
+           !ssh->bare_connection &&
+           ssh->max_data_size != 0 &&
+           ssh->outgoing_data_size > ssh->max_data_size)
+           do_ssh2_transport(ssh, "too much data sent", -1, NULL);
+    }
 }
 
 /*
@@ -6332,6 +6334,7 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
     crState(do_ssh2_transport_state);
 
     assert(!ssh->bare_connection);
+    assert(ssh->version == 2);
 
     crBeginState;