[jira] [Commented] (SSHD-868) Add some protection against maliciously crafted packets

Sun, 18 Nov 2018 09:10:53 -0800 


    [ 
https://issues.apache.org/jira/browse/SSHD-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16690968#comment-16690968
 ] 

Goldstein Lyor commented on SSHD-868:
-------------------------------------

There are a few more such pitfalls that 1st allocate and then try to loop or 
just loop - see [commit 
db6e5b5344dcf687ad01a6d7bc94cfa531809d37|https://github.com/apache/mina-sshd/commit/db6e5b5344dcf687ad01a6d7bc94cfa531809d37],
 and also [commit 
775f34955151d6ec241a1ad3a634c53a87386a64|https://github.com/apache/mina-sshd/commit/775f34955151d6ec241a1ad3a634c53a87386a64]

> Add some protection against maliciously crafted packets
> -------------------------------------------------------
>
>                 Key: SSHD-868
>                 URL: https://issues.apache.org/jira/browse/SSHD-868
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 2.1.1
>            Reporter: Goldstein Lyor
>            Assignee: Goldstein Lyor
>            Priority: Major
>              Labels: memory, overflow, security
>             Fix For: 2.1.1
>
>
> According to [RFC4256 - section 3.2|https://tools.ietf.org/html/rfc4256]
> {quote}
> The server SHOULD take into consideration that some clients may not
> be able to properly display a long name or prompt field (see next
> section), and limit the lengths of those fields if possible.
> {quote}
> The current code in {{UserAuthKeyboardInteractive#processAuthDataRequest}} 
> does not make sure that the number of challenges or the length of each 
> challenge is reasonable (not to mention the other packet components). 
> Therefore, a maliciously crafted packet can cause out-of-memory errors by 
> requesting an extremely large number of responses or sending very large 
> challenges.
> It is important to notice that this problem is not limited to the 
> {{keyboard-interactive}} protocol but to the entire packet encode/decode 
> mechanism since it is a RLE (read-length encoding). Wherever possible we 
> should add some reasonable but large enough limitations on the expected size 
> of strings/arrays/etc.. being decoded from incoming SSH packets.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to