From: Damien Miller <djm@mindrot.org>
Subject: GHPR689: check sshd privsep cipher state
To: tech@openbsd.org
Cc: openssh@openssh.com
Date: Mon, 29 Jun 2026 16:44:05 +1000

Hi,

This adds a defence-in-depth check to the sshd privsep state parsing
that more strictly validates the received cipher key and IV lengths.
These are already checked for sufficient size later in cipher_init()
but checking earlier and being more strict doesn't hurt.

ok?

diff --git a/packet.c b/packet.c
index 29e6b71..fc0d4f9 100644
--- a/packet.c
+++ b/packet.c
@@ -2526,6 +2526,11 @@ newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
+	if (keylen != cipher_keylen(enc->cipher) ||
+	    ivlen != cipher_ivlen(enc->cipher)) {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
 	if (cipher_authlen(enc->cipher) == 0) {
 		if ((r = sshbuf_get_cstring(b, &mac->name, NULL)) != 0)
 			goto out;