You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Goldstein Lyor (JIRA)" <ji...@apache.org> on 2016/09/16 13:51:20 UTC
[jira] [Commented] (SSHD-699) Server receiving 0-length
SSH_MSG_IGNORE causes Buffer Underflow exception
[ https://issues.apache.org/jira/browse/SSHD-699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15496387#comment-15496387 ]
Goldstein Lyor commented on SSHD-699:
-------------------------------------
This is not entirely correct - according to [RFC 4253 - section 11.2|https://tools.ietf.org/html/rfc4253#section-11.2] the structure of an {{SSH_MSG_IGNORE}} is as follows:
{quote}
11.2. Ignored Data Message
byte SSH_MSG_IGNORE
string data
{quote}
The _data_ field is a _string_ which means that even if it is *empty* then it must have a zero length as described in [RFC 4251 section 5|https://tools.ietf.org/html/rfc4251#section-5]:
{quote}
string
Arbitrary length binary string. Strings are allowed to contain
arbitrary binary data, including null characters and 8-bit
characters. They are stored as a uint32 containing its length
(number of bytes that follow) and zero (= empty string) or more
bytes that are the value of the string. Terminating null
characters are not used.
{quote}
What is termed "regression" in this case is actually a misnomer - an SSH_MSG_IGNORE as described in the test case is therefore *illegal* and should cause a problem. The same can be said for *any* malformed message - it is way too much to demand that the code deal with all possible ways in which a message can be malformed. The previous code was therefore *wrong* in ignoring such messages (as it would be wrong to ignore any other malformed one).
Specifically for {{SSG_MSG_IGNORE}} and {{SSH_MSG_DEBUG}} though perhaps the code should be more tolerant and ignore malformed messages, So I will do a fix along these lines - but *only* along these lines.
> Server receiving 0-length SSH_MSG_IGNORE causes Buffer Underflow exception
> --------------------------------------------------------------------------
>
> Key: SSHD-699
> URL: https://issues.apache.org/jira/browse/SSHD-699
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 1.2.0
> Reporter: Johan Östling
>
> Trying to establish the length of a message with only a header byte will cause a buffer underflow exception. I noticed it on SSH_MSG_IGNORE, but it is probably general to all messages.
> Reproducible with unit test:
> {code:title=AbstractSessionTest.java|borderStyle=solid}
> @Test
> public void testZeroLengthIgnoreMessage() throws Exception {
> Buffer msg = session.createBuffer(SshConstants.SSH_MSG_IGNORE, Byte.SIZE);
> session.handleIgnore(msg);
> }
> {code}
> This is a regression since 0.14.0, which did not have this problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)