Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: Server panic on invalid input #11348

Closed
taruti opened this issue Jun 23, 2015 · 4 comments
Closed

x/crypto/ssh: Server panic on invalid input #11348

taruti opened this issue Jun 23, 2015 · 4 comments
Labels
FrozenDueToAge

Comments

@taruti
Copy link
Contributor

taruti commented Jun 23, 2015

The following input makes the x/crypto/ssh server crash:

[]byte("\n\x00\x00\x00\x16\x00\x140000000000000000\xff\xff\xff\xff")

Discovered by fuzzing (see the excellent github.com/dvyukov/go-fuzz), triggerable by

  1. run x/crypto/ssh server
  2. feed it those bytes (e.g. with nc or go)
  3. watch it panic
panic: runtime error: slice bounds out of range

goroutine 5 [running]:
golang.org/x/crypto/ssh.parseString(0xc20801e391, 0x4, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc20800a300)
    /go/path/src/golang.org/x/crypto/ssh/messages.go:490 +0x150
golang.org/x/crypto/ssh.parseNameList(0xc20801e391, 0x4, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x15)
    /go/path/src/golang.org/x/crypto/ssh/messages.go:502 +0x95
golang.org/x/crypto/ssh.Unmarshal(0xc20801e391, 0x4, 0x4, 0x54e900, 0xc208001320, 0x0, 0x0)
    /go/path/src/golang.org/x/crypto/ssh/messages.go:360 +0xeff
golang.org/x/crypto/ssh.(*handshakeTransport).enterKeyExchange(0xc208056000, 0xc20801e380, 0x15, 0x15, 0x0, 0x0)
    /go/path/src/golang.org/x/crypto/ssh/handshake.go:295 +0x134
golang.org/x/crypto/ssh.(*handshakeTransport).readOnePacket(0xc208056000, 0x0, 0x0, 0x0, 0x0, 0x0)
    /go/path/src/golang.org/x/crypto/ssh/handshake.go:166 +0x1f3
golang.org/x/crypto/ssh.(*handshakeTransport).readLoop(0xc208056000)
    /go/path/src/golang.org/x/crypto/ssh/handshake.go:133 +0x28
created by golang.org/x/crypto/ssh.newServerTransport
    /go/path/src/golang.org/x/crypto/ssh/handshake.go:108 +0xea

goroutine 1 [chan receive]:
golang.org/x/crypto/ssh.(*connection).serverHandshake(0xc20804e200, 0xc208058210, 0xc20801f060, 0x0, 0x0)
    /go/path/src/golang.org/x/crypto/ssh/server.go:193 +0x64f
golang.org/x/crypto/ssh.NewServerConn(0x7f8486836d18, 0xc20801f060, 0xc208058000, 0x7f8486836d18, 0xc208030018, 0x0, 0x0, 0x0)
    /go/path/src/golang.org/x/crypto/ssh/server.go:146 +0x103
main.main()
    /go/path/src/github.com/taruti/sshfuzz/ex1/ssh.go:28 +0x32d
@taruti
Copy link
Contributor Author

taruti commented Jun 23, 2015

cc @agl

@ebfe
Copy link
Contributor

ebfe commented Jun 23, 2015

https://golang.org/cl/11332

@agl agl self-assigned this Jun 27, 2015
@dvyukov
Copy link
Member

dvyukov commented Jun 29, 2015

/cc @dvyukov

@ebfe
Copy link
Contributor

ebfe commented Jun 29, 2015

Should be fixed by golang/crypto@cc04154

@golang golang locked and limited conversation to collaborators Jun 28, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Nov 24, 2019
@ebfe @agl
x/crypto/ssh: fix bounds check in parseString
cc04154 
Fixes golang#11348

Change-Id: If083744343256a2a53eb813411ba0c9a359d6dbd
Reviewed-on: https://go-review.googlesource.com/11332
Reviewed-by: Adam Langley <agl@golang.org>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@agl @taruti @josharian @ebfe @dvyukov @gopherbot