Handle packets with no type byte by returning SSH_MSG_UNIMPLEMENTED.

The previous assertion failure is obviously wrong, but RFC 4253 doesn't explicitly declare them to be a protocol error. Currently, the incoming packet isn't logged, which might cause some confusion for log parsers. Bug found with the help of afl-fuzz.
2025-01-10 01:48:00 +00:00 · 2015-10-17 21:00:31 +01:00 · 2015-10-17 21:00:31 +01:00 · f7365a2d57
commit f7365a2d57
parent c445c745ec
1 changed files with 10 additions and 0 deletions
--- a/ssh.c
+++ b/ssh.c
@ -360,6 +360,7 @@ static void do_ssh2_authconn(Ssh ssh, unsigned char *in, int inlen,
 			     struct Packet *pktin);
 static void ssh2_channel_check_close(struct ssh_channel *c);
 static void ssh_channel_destroy(struct ssh_channel *c);
+static void ssh2_msg_something_unimplemented(Ssh ssh, struct Packet *pktin);

 /*
 * Buffer management constants. There are several of these for
@ -1742,6 +1743,15 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
 	}
    }

+    /*
+     * RFC 4253 doesn't explicitly say that completely empty packets
+     * with no type byte are forbidden, so treat them as deserving
+     * an SSH_MSG_UNIMPLEMENTED.
+     */
+    if (st->pktin->length <= 5) { /* == 5 we hope, but robustness */
+        ssh2_msg_something_unimplemented(ssh, st->pktin);
+        crStop(NULL);
+    }
    /*
     * pktin->body and pktin->length should identify the semantic
     * content of the packet, excluding the initial type byte.