From 642a1c3843c9c824a6fbcee4d340d711bc049aa9 Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 2 Nov 2016 06:43:20 +0000
Subject: [PATCH] Apply upstream fix for CVE-2016-8858:

  Unregister the KEXINIT handler after message has been received.
  Otherwise an unauthenticated peer can repeat the KEXINIT and cause
  allocation of up to 128MB -- until the connection is closed.
  Reported by shilei-c at 360.cn

Obtained from:	OpenBSD
---
 kex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kex.c b/kex.c
index d371f47c48d..9c9f56228ea 100644
--- a/kex.c
+++ b/kex.c
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
 	if (kex == NULL)
 		return SSH_ERR_INVALID_ARGUMENT;
 
+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
 	ptr = sshpkt_ptr(ssh, &dlen);
 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
 		return r;