[ https://issues.apache.org/jira/browse/SSHD-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690968#comment-16690968 ]
Goldstein Lyor commented on SSHD-868: ------------------------------------- There are a few more such pitfalls that 1st allocate and then try to loop or just loop - see [commit db6e5b5344dcf687ad01a6d7bc94cfa531809d37|https://github.com/apache/mina-sshd/commit/db6e5b5344dcf687ad01a6d7bc94cfa531809d37], and also [commit 775f34955151d6ec241a1ad3a634c53a87386a64|https://github.com/apache/mina-sshd/commit/775f34955151d6ec241a1ad3a634c53a87386a64] > Add some protection against maliciously crafted packets > ------------------------------------------------------- > > Key: SSHD-868 > URL: https://issues.apache.org/jira/browse/SSHD-868 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 2.1.1 > Reporter: Goldstein Lyor > Assignee: Goldstein Lyor > Priority: Major > Labels: memory, overflow, security > Fix For: 2.1.1 > > > According to [RFC4256 - section 3.2|https://tools.ietf.org/html/rfc4256] > {quote} > The server SHOULD take into consideration that some clients may not > be able to properly display a long name or prompt field (see next > section), and limit the lengths of those fields if possible. > {quote} > The current code in {{UserAuthKeyboardInteractive#processAuthDataRequest}} > does not make sure that the number of challenges or the length of each > challenge is reasonable (not to mention the other packet components). > Therefore, a maliciously crafted packet can cause out-of-memory errors by > requesting an extremely large number of responses or sending very large > challenges. > It is important to notice that this problem is not limited to the > {{keyboard-interactive}} protocol but to the entire packet encode/decode > mechanism since it is a RLE (read-length encoding). Wherever possible we > should add some reasonable but large enough limitations on the expected size > of strings/arrays/etc.. being decoded from incoming SSH packets. -- This message was sent by Atlassian JIRA (v7.6.3#76005)