[ 
https://issues.apache.org/jira/browse/SSHD-699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15496387#comment-15496387
 ] 

Goldstein Lyor commented on SSHD-699:
-------------------------------------

This is not entirely correct - according to [RFC 4253 - section 
11.2|https://tools.ietf.org/html/rfc4253#section-11.2] the structure of an 
{{SSH_MSG_IGNORE}} is as follows:
{quote}
11.2.  Ignored Data Message

      byte      SSH_MSG_IGNORE
      string    data
{quote}

The _data_ field is a _string_ which means that even if it is *empty* then it 
must have a zero length as described in [RFC 4251 section 
5|https://tools.ietf.org/html/rfc4251#section-5]:

{quote}
string

      Arbitrary length binary string.  Strings are allowed to contain
      arbitrary binary data, including null characters and 8-bit
      characters.  They are stored as a uint32 containing its length
      (number of bytes that follow) and zero (= empty string) or more
      bytes that are the value of the string.  Terminating null
      characters are not used.
{quote}

What is termed "regression" in this case is actually a misnomer - an 
SSH_MSG_IGNORE as described in the test case is therefore *illegal* and should 
cause a problem. The same can be said for *any* malformed message - it is way 
too  much to demand that the code deal with all possible ways in which a 
message can be malformed. The previous code was therefore *wrong* in ignoring 
such messages (as it would be wrong to ignore any other malformed one).

Specifically for {{SSG_MSG_IGNORE}} and {{SSH_MSG_DEBUG}} though perhaps the 
code should be more tolerant and ignore malformed messages, So I will do a fix 
along these lines - but *only* along these lines.

> Server receiving 0-length SSH_MSG_IGNORE causes Buffer Underflow exception
> --------------------------------------------------------------------------
>
>                 Key: SSHD-699
>                 URL: https://issues.apache.org/jira/browse/SSHD-699
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.2.0
>            Reporter: Johan Östling
>
> Trying to establish the length of a message with only a header byte will 
> cause a buffer underflow exception. I noticed it on SSH_MSG_IGNORE, but it is 
> probably general to all messages.
> Reproducible with unit test: 
> {code:title=AbstractSessionTest.java|borderStyle=solid}
>     @Test
>     public void testZeroLengthIgnoreMessage() throws Exception {
>         Buffer msg = session.createBuffer(SshConstants.SSH_MSG_IGNORE, 
> Byte.SIZE);
>         session.handleIgnore(msg);
>     }
> {code}
> This is a regression since 0.14.0, which did not have this problem.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to