From 44b186fa17aff497dae420c59c003222e438103c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Fri, 6 Mar 2026 13:58:30 +0100 Subject: [PATCH] channels: Fail when receiving max packet size 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do this both for SSH2_MSG_CHANNEL_OPEN and for SSH2_MSG_CHANNEL_OPEN_CONFIRMATION. Using the max packet size 0 would lead to an infinite loop in channel_write_common. Originally reported by Rinku Das on on 23th February. Independently reported by Yi Lin on 26th February and Haruto Kimura on 22nd March. We do not consider this as a security issue as connecting to untrusted servers on the internet brings much worse security consequences than hanging your clinet. Signed-off-by: Pavol Žáčik Reviewed-by: Jakub Jelen --- src/channels.c | 7 +++++++ src/messages.c | 19 +++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/channels.c b/src/channels.c index 0d19b046..8a2702f2 100644 --- a/src/channels.c +++ b/src/channels.c @@ -198,6 +198,13 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf) if (rc != SSH_OK) goto error; + if (channel->remote_maxpacket == 0) { + SSH_LOG(SSH_LOG_RARE, + "Invalid maximum packet size 0 in " + "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION"); + goto error; + } + SSH_LOG(SSH_LOG_DEBUG, "Received a CHANNEL_OPEN_CONFIRMATION for channel %" PRIu32 ":%" PRIu32, diff --git a/src/messages.c b/src/messages.c index 824b2772..6740d103 100644 --- a/src/messages.c +++ b/src/messages.c @@ -1410,10 +1410,21 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open){ SSH_LOG(SSH_LOG_PACKET, "Clients wants to open a %s channel", type_c); - ssh_buffer_unpack(packet,"ddd", - &msg->channel_request_open.sender, - &msg->channel_request_open.window, - &msg->channel_request_open.packet_size); + rc = ssh_buffer_unpack(packet, + "ddd", + &msg->channel_request_open.sender, + &msg->channel_request_open.window, + &msg->channel_request_open.packet_size); + if (rc != SSH_OK){ + goto error; + } + + if (msg->channel_request_open.packet_size == 0) { + ssh_set_error(session, + SSH_FATAL, + "Invalid maximum packet size 0 in SSH2_MSG_CHANNEL_OPEN"); + goto error; + } if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED){ ssh_set_error(session,SSH_FATAL, "Invalid state when receiving channel open request (must be authenticated)");