Uploaded image for project: 'MINA SSHD'
  1. MINA SSHD
  2. SSHD-868

Add some protection against maliciously crafted packets

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.0
    • Flags:
      Important

      Description

      According to RFC4256 - section 3.2

      The server SHOULD take into consideration that some clients may not
      be able to properly display a long name or prompt field (see next
      section), and limit the lengths of those fields if possible.

      The current code in UserAuthKeyboardInteractive#processAuthDataRequest does not make sure that the number of challenges or the length of each challenge is reasonable (not to mention the other packet components). Therefore, a maliciously crafted packet can cause out-of-memory errors by requesting an extremely large number of responses or sending very large challenges.

      It is important to notice that this problem is not limited to the keyboard-interactive protocol but to the entire packet encode/decode mechanism since it is a RLE (read-length encoding). Wherever possible we should add some reasonable but large enough limitations on the expected size of strings/arrays/etc.. being decoded from incoming SSH packets.

        Attachments

          Activity

            People

            • Assignee:
              lgoldstein Lyor Goldstein
              Reporter:
              lgoldstein Lyor Goldstein
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: