On Fri, Nov 16, 2018 at 7:14 PM Lyor Goldstein <lgoldst...@apache.org> wrote:
> >> In ApacheDS, we decided to limit the size of a PDU to avoid crazy big > (and crafted) messages to be processed. This is of course configurable. I > guess you could do the same. Note that I don't think it makes sense to send > a big chunk of data in SSH, IMO. > > Please note though that the limiting the size of the PDU is not really the > solution. One can send a "small" PDU claiming to contain an array of 2GB of > data (remember - RLE). Therefore any code that first allocates data and > only then tries to read it will be susceptible to out-of-memory errors. > Correct. You still need to check that the length dos not exceed the limit. > >> Otherwise, I'm not a SSH specialist, but it seems that the SSH maximum > packet > size is 32Kb (https://tools.ietf.org/html/rfc4253, par. 6.1). Is it > relevant ? > > I believe it is relevant - you have given me an idea - any code that reads > a length of data should validate that indeed enough data is available to > satisfy the request. I.e., if one declares that the PDU contains X amount > of data, then the code should make sure that indeed the PDU contains at > least X bytes *before* allocating and reading them from the PDU. > > This still leaves code that 1st reads some N and then executes a loop of N > iterations - we need to make sure that the N is of some generous yet > limited size. > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
