[erlang-bugs] Erlang R13B01 ssh_transport possible bug

Kenji Rikitake kenji.rikitake@REDACTED
Fri Aug 21 03:54:53 CEST 2009


clarification: "aes_cbc_ivec/1" is irrelevant, in 3des-cbc it is
crypto:des_cbc_ivec/1.  Regards, Kenji Rikitake

In the message <20090821014755.GA98897@REDACTED>
dated Fri, Aug 21, 2009 at 10:47:31AM +0900,
Kenji Rikitake <kenji.rikitake@REDACTED> writes:
> BUG FOUND: ssh_transport:unpack/3 causes crash by passing a null
> binary (<<>>) to erlang:split_binary/2, with error code badarg.
> 
> By tracing the exchange between a FreeBSD OpenSSH implementation, I
> found a case where the internal variable SshLength in
> ssh_transport:unpack/3 goes to zero, which leads to passing a null
> binary as an argument to ssh_transport:decrypt_blocks/3 and to
> aes_cbc_ivec/1.  So I added a case statement to avoid calling the
> decrypt_blocks/3 when SshLength = 0.


More information about the erlang-bugs mailing list