channels: Fail when receiving max packet size 0

Do this both for SSH2_MSG_CHANNEL_OPEN and for SSH2_MSG_CHANNEL_OPEN_CONFIRMATION. Using the max packet size 0 would lead to an infinite loop in channel_write_common. Originally reported by Rinku Das on on 23th February. Independently reported by Yi Lin on 26th February and Haruto Kimura on 22nd March. We do not consider this as a security issue as connecting to untrusted servers on the internet brings much worse security consequences than hanging your clinet. Signed-off-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-06-11 12:56:21 +09:00 · 2026-03-06 13:58:30 +01:00
parent 66285b3ce4
commit 44b186fa17
2 changed files with 22 additions and 4 deletions
--- a/src/channels.c
+++ b/src/channels.c
@@ -198,6 +198,13 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf)
    if (rc != SSH_OK)
        goto error;

+    if (channel->remote_maxpacket == 0) {
+        SSH_LOG(SSH_LOG_RARE,
+                "Invalid maximum packet size 0 in "
+                "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION");
+        goto error;
+    }
+
    SSH_LOG(SSH_LOG_DEBUG,
            "Received a CHANNEL_OPEN_CONFIRMATION for channel %" PRIu32
            ":%" PRIu32,
--- a/src/messages.c
+++ b/src/messages.c
@@ -1410,10 +1410,21 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open){
  SSH_LOG(SSH_LOG_PACKET,
      "Clients wants to open a %s channel", type_c);

-  ssh_buffer_unpack(packet,"ddd",
-          &msg->channel_request_open.sender,
-          &msg->channel_request_open.window,
-          &msg->channel_request_open.packet_size);
+  rc = ssh_buffer_unpack(packet,
+                         "ddd",
+                         &msg->channel_request_open.sender,
+                         &msg->channel_request_open.window,
+                         &msg->channel_request_open.packet_size);
+  if (rc != SSH_OK){
+      goto error;
+  }
+
+  if (msg->channel_request_open.packet_size == 0) {
+      ssh_set_error(session,
+                    SSH_FATAL,
+                    "Invalid maximum packet size 0 in SSH2_MSG_CHANNEL_OPEN");
+      goto error;
+  }

  if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED){
    ssh_set_error(session,SSH_FATAL, "Invalid state when receiving channel open request (must be authenticated)");