infinite loop with a malformed message
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| paramiko |
Fix Released
|
High
|
Robey Pointer | ||
Bug Description
Found an infinite loop, triggered by a malformed ssh message.
I found it by trying to load a publickey which had been truncated, so
the actual length of the final mpint didn't match.
The first part is in Message.get_bytes.
If the length of the bytes read isn't as long as what was called for,
you get a string of '\x00'*n.
Shouldn't this simply pad the string with 0s, or is this required? (I
haven't read the entire rfc for this yet)
If I'm correct, the patch is easy:
- return '\x00'*n
+ return b + '\x00' * (n - len(b))
The infinite loop part is in in util.bit_length.
If n deflates to '\x00', hbyte will never AND with 0x80, so we loop forever.
Patch:
diff --git a/paramiko/util.py b/paramiko/util.py
index 8abdc0c..fab2b7e 100644
--- a/paramiko/util.py
+++ b/paramiko/util.py
@@ -135,6 +135,8 @@ def safe_string(s):
def bit_length(n):
norm = deflate_long(n, 0)
hbyte = ord(norm[0])
+ if not hbyte:
+ return 1
bitlen = len(norm) * 8
while not (hbyte & 0x80):
hbyte <<= 1
| Robey Pointer (robey) wrote | #1 |
| Changed in paramiko: | |
| assignee: | nobody → Robey Pointer (robey) |
| milestone: | none → 1.7.5 |
| status: | New → Confirmed |
| status: | Confirmed → Fix Committed |
| importance: | Undecided → High |
| Changed in paramiko: | |
| status: | Fix Committed → Fix Released |
already applied via email