Handling recv oversized packets

Stuart Longland redhatter at gentoo.org
Wed Sep 7 06:47:27 WST 2011


Before I answer, one point I'd like to raise:
> This communication contains information which is confidential and may
> also be privileged. It is for the exclusive use of the addressee. If you
> are not the addressee please note that any distribution, reproduction,
> copying, publication or use of this communication or the information is
> prohibited. If you have received this communication in error, please
> contact us immediately and also delete the communication from your
> computer. We accept no liability for any loss or damage suffered by any
> person arising from use of this email.

The above being the case, why on EARTH did you send this to a PUBLIC
mailing list?

It's like ringing up on a national talk-back radio show then telling the
announcer, having just spoken to them on air for about 2 minutes, that
what you've told everyone listening on the air is private between you
and the announcer only, not to be rebroadcast.

Commercial in-confidence information has no place on such a mailing
list, and such walls-of-text as those above, look utterly ridiculous in
such a forum.

I will proceed to answer, ignoring the above, as it is widely publicised
that this mailing list goes to multiple undisclosed parties and is also
archived for world-wide perusal.  If there are any commercial
ramifications, they are your problem, not mine as you were warned.

(Okay… now to dismount from this soap box…)

On 09/07/11 07:09, Smith, JDave wrote:
> Hi
>  
> What happens if a received SSH packet is greater than the max length for
> received packets? From something I have seen in the code
> (common-channel) I am concerned that this causes dropbear to simply
> terminate. My concern is that this leaves dropbear implementations open
> to DOS attacks. I am not an expert in C and the code I have checked is
> v0.52 so I may be wrong or not up-to-date...

I'd be curious to know where you're looking.  No doubt others more
knowledgeable about the code will probably know exactly where to look
for the answer, but if I read this correctly:

http://cvs.ucc.asn.au/cgi-bin/viewvc.cgi/anoncvs/projects/dropbear/channel.c?view=markup
> 701 	/* if the client is going to send us more data than we've allocated, then
> 702 	* it has ignored the windowsize, so we "MAY ignore all extra data" */
> 703 	maxdata = channel->writebuf->size - channel->writebuf->pos;
> 704 	if (datalen > maxdata) {
> 705 	    TRACE(("Warning: recv_msg_channel_data: extra data past window"));
> 706 	    datalen = maxdata;
> 707 	}

then the situation is handled by *ignoring* the extra data.

> Note that we have a customer who is extremely security conscious and
> would view this as an issue, and since security considerations are on
> the rise in the market they would probably not be alone (at least not
> for very long).

They certainly aren't… and I'm happy to be corrected on my assessment above.

Regards,
-- 
Stuart Longland (aka Redhatter, VK4MSL)      .'''.
Gentoo Linux/MIPS Cobalt and Docs Developer  '.'` :
. . . . . . . . . . . . . . . . . . . . . .   .'.'
http://dev.gentoo.org/~redhatter             :.'

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


More information about the Dropbear mailing list