Re: [JSch-users] JSch bug: SSH_FXP_STATUS with empty message text leads to OutOfMemoryError

Tue, 06 Nov 2007 19:02:51 -0800 

Hi,

   +-From: "Oberhuber, Martin" <[EMAIL PROTECTED]> --
   |_Date: Tue, 6 Nov 2007 17:44:45 +0100 ________________________
   |
   |I have an SSH Server with Sftp version 3, but it does not send
   |plaintext error messages. Instead, when an SSH_FXP_STATUS
   |package is received, the "Header" packet indicates only 4
   |bytes length for the actual status packet; these 4 bytes
   |hold the (int) error number but no plaintext error message.

Those messages are added since Sftp version 3 according to the specification.
So, if your server says it implements sftp version 3,
messages should be sent. I think that it has come from its implementation bug. 

   |Attached is a "poor man's" version of a patch to fix the
   |issue. I think that the patch could be improved by
   | (1) calling a common checkStatus() method rather than
   |     having the same if... code again and again
   | (2) in getString(), have a safeguard to ensure that
   |     the String being allocated cannot be larger than
   |     the maximum packet size / buffer size.

Frankly to say, I'm not so interested in changing the code for 
such an incomplete server. Can you believe that it does not have 
any other problems?  Why you can transfer your secrets to/from 
such a buggy server?

Anyway, we should survive for such OutOfMemory DOS attack.
# FYI, it seems OpenSSH's sftp command has not checked messages,
The next version will check the available byte length before
getting messages even if the server says it implements 
sftp version 3 or later.


Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
    +1-415-578-3454
Fax +81-22-224-8773
Skype callto://jcraft/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
JSch-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jsch-users

Reply via email to