From 10762ffaa9fede4c947e62d3483d76201d93433b Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 22 May 2015 04:45:52 +0000
Subject: [PATCH] Reorder EscapeChar option parsing to avoid a single-byte out-
 of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@

---
 usr.bin/ssh/readconf.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index d5790725bc2..0d41d78e6f0 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.235 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.236 2015/05/22 04:45:52 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1224,13 +1224,13 @@ parse_int:
 		arg = strdelim(&s);
 		if (!arg || *arg == '\0')
 			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (arg[0] == '^' && arg[2] == 0 &&
+		if (strcmp(arg, "none") == 0)
+			value = SSH_ESCAPECHAR_NONE;
+		else if (arg[1] == '\0')
+			value = (u_char) arg[0];
+		else if (arg[0] == '^' && arg[2] == 0 &&
 		    (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
 			value = (u_char) arg[1] & 31;
-		else if (strlen(arg) == 1)
-			value = (u_char) arg[0];
-		else if (strcmp(arg, "none") == 0)
-			value = SSH_ESCAPECHAR_NONE;
 		else {
 			fatal("%.200s line %d: Bad escape character.",
 			    filename, linenum);
-- 
2.20.1