From 5471539a6738484b48fb938c88dce547a3e4b299 Mon Sep 17 00:00:00 2001
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sat, 17 Oct 2015 21:00:31 +0100
Subject: [PATCH] Handle packets with no type byte by returning
 SSH_MSG_UNIMPLEMENTED.

The previous assertion failure is obviously wrong, but RFC 4253 doesn't
explicitly declare them to be a protocol error.  Currently, the incoming
packet isn't logged, which might cause some confusion for log parsers.

Bug found with the help of afl-fuzz.
---
 ssh.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ssh.c b/ssh.c
index 5d6514b5..1f8a214b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -364,6 +364,7 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
 			     struct Packet *pktin);
 static void ssh2_channel_check_close(struct ssh_channel *c);
 static void ssh_channel_destroy(struct ssh_channel *c);
+static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin);
 
 /*
  * Buffer management constants. There are several of these for
@@ -1834,6 +1835,15 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, const unsigned char **data,
 	}
     }
 
+    /*
+     * RFC 4253 doesn't explicitly say that completely empty packets
+     * with no type byte are forbidden, so treat them as deserving
+     * an SSH_MSG_UNIMPLEMENTED.
+     */
+    if (st->pktin->length <= 5) { /* == 5 we hope, but robustness */
+        ssh2_msg_something_unimplemented(ssh, st->pktin);
+        crStop(NULL);
+    }
     /*
      * pktin->body and pktin->length should identify the semantic
      * content of the packet, excluding the initial type byte.