Fix an SSH-breaking bug from the fuzzing merge.

When we set ssh->sc{cipher,mac} to s->sc{cipher,mac}_tobe
conditionally, we should be conditionalising on the values we're
_reading_, not the ones we're about to overwrite.

Thanks to Colin Harrison for this patch.

diff --git a/ssh.c b/ssh.c
index cc503029eaf633b61f37365996291546fb1d8122..01c261a2e2acd5cdea4fe689e2fc40ed4f4268e6 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -7312,14 +7312,14 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
      */
     if (ssh->sc_cipher_ctx)
        ssh->sccipher->free_context(ssh->sc_cipher_ctx);
-    if (ssh->sccipher) {
+    if (s->sccipher_tobe) {
        ssh->sccipher = s->sccipher_tobe;
        ssh->sc_cipher_ctx = ssh->sccipher->make_context();
     }
 
     if (ssh->sc_mac_ctx)
        ssh->scmac->free_context(ssh->sc_mac_ctx);
-    if (ssh->scmac) {
+    if (s->scmac_tobe) {
        ssh->scmac = s->scmac_tobe;
        ssh->scmac_etm = s->scmac_etm_tobe;
        ssh->sc_mac_ctx = ssh->scmac->make_context(ssh->sc_cipher_ctx);