From b003e5cf534235f89f4de34c8d7b61baef7fe8ea Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 7 Nov 2015 20:15:24 +0000
Subject: [PATCH] Fix an SSH-breaking bug from the fuzzing merge.

When we set ssh->sc{cipher,mac} to s->sc{cipher,mac}_tobe
conditionally, we should be conditionalising on the values we're
_reading_, not the ones we're about to overwrite.

Thanks to Colin Harrison for this patch.
---
 ssh.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssh.c b/ssh.c
index cc503029..01c261a2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -7312,14 +7312,14 @@ static void do_ssh2_transport(Ssh ssh, const void *vin, int inlen,
      */
     if (ssh->sc_cipher_ctx)
 	ssh->sccipher->free_context(ssh->sc_cipher_ctx);
-    if (ssh->sccipher) {
+    if (s->sccipher_tobe) {
 	ssh->sccipher = s->sccipher_tobe;
 	ssh->sc_cipher_ctx = ssh->sccipher->make_context();
     }
 
     if (ssh->sc_mac_ctx)
 	ssh->scmac->free_context(ssh->sc_mac_ctx);
-    if (ssh->scmac) {
+    if (s->scmac_tobe) {
 	ssh->scmac = s->scmac_tobe;
 	ssh->scmac_etm = s->scmac_etm_tobe;
 	ssh->sc_mac_ctx = ssh->scmac->make_context(ssh->sc_cipher_ctx);
-- 
2.45.2