Erlang R13B01 ssh_transport possible bug
Kenji Rikitake
kenji.rikitake@REDACTED
Fri Aug 21 03:47:55 CEST 2009
This is a simplified version of previous patch at
http://www.erlang.org/cgi-bin/ezmlm-cgi?2:mss:1465:200908:jocpkoflfkoikpmnfcnj
I think this is a bug, so I resubmit the issue and the patch here.
BUG FOUND: ssh_transport:unpack/3 causes crash by passing a null
binary (<<>>) to erlang:split_binary/2, with error code badarg.
By tracing the exchange between a FreeBSD OpenSSH implementation, I
found a case where the internal variable SshLength in
ssh_transport:unpack/3 goes to zero, which leads to passing a null
binary as an argument to ssh_transport:decrypt_blocks/3 and to
aes_cbc_ivec/1. So I added a case statement to avoid calling the
decrypt_blocks/3 when SshLength = 0.
Patch follow.
Kenji Rikitake
--- lib/ssh/src/ssh_transport.erl.orig
+++ lib/ssh/src/ssh_transport.erl
@@ -714,8 +714,13 @@
Rest0/binary>> = EncodedSoFar,
{NoMac0, Mac0, Rest0}
end,
- {Ssh1, DecData, <<>>} =
- ssh_transport:decrypt_blocks(NoMac, SshLength, Ssh0),
+ {Ssh1, DecData, <<>>} = case SshLength of
+ 0 ->
+ {Ssh0, <<>>, <<>>};
+ _ ->
+ ssh_transport:decrypt_blocks(NoMac, SshLeng
+th, Ssh0)
+ end,
{Ssh1, DecData, Rest, Mac}.
msg_data(PacketData) ->
More information about the erlang-bugs
mailing list