CVE-2023-25136

An unauthenticated remote attacker can trigger the double-free by connecting to an OpenSSH 9.1 server with a default configuration and presenting a client banner that causes the server to set both the `SSH_BUG_CURVE25519PAD` and `SSH_OLD_DHGEX` compatibility flags [ref_id=1]. During key exchange, `compat_kex_proposal()` processes the proposal string through `match_filter_denylist()` twice; the first call reassigns the local pointer `p` to newly allocated memory, the second call reassigns `p` again, and then `free(cp)` frees the old allocation while the function returns the dangling pointer `p` [ref_id=2][ref_id=3]. This double-free can crash the forked sshd worker process (denial of service) and, according to third-party research, may be leveraged for limited remote code execution when memory protections such as ASLR and NX are disabled [ref_id=1].

The vulnerability resides in `compat.c` within the `compat_kex_proposal()` function. The function is responsible for filtering the key-exchange algorithm proposal string based on compatibility flags. The flawed logic occurs when both `SSH_BUG_CURVE25519PAD` and `SSH_OLD_DHGEX` flags are set, causing the pointer `p` to be reassigned by `match_filter_denylist()` and then freed via `free(cp)`, while the function ultimately returns the already-freed pointer `p` [ref_id=2][ref_id=3].

The patch in commit 486c4dc3 (and the OpenBSD errata 017) restructures `compat_kex_proposal()` to use a separate pointer `cp2` for the second `match_filter_denylist()` call, ensuring that the pointer returned is always the last valid allocated string [ref_id=2][ref_id=3]. Specifically, the first filter result is stored in `cp`, the second filter result is stored in `cp2`, and `cp` is freed only after `cp2` has been assigned; the function then returns `cp` (which now points to `cp2`'s allocation) instead of the dangling `p` [ref_id=3]. This eliminates the double-free by guaranteeing that no pointer is freed while still being referenced as the return value.