|
| 1 | +From 0ed2573cbd55c92e9125c9dc70fa1ca7fed82872 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Jakub Witczak <kuba@erlang.org> |
| 3 | +Date: Thu, 6 Feb 2025 19:00:44 +0100 |
| 4 | +Subject: [PATCH] ssh: sftp reject packets exceeding limit |
| 5 | + |
| 6 | +--- |
| 7 | + lib/ssh/src/ssh_sftpd.erl | 47 ++++++++++++++++++++++++++------------- |
| 8 | + 1 file changed, 32 insertions(+), 15 deletions(-) |
| 9 | + |
| 10 | +diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl |
| 11 | +index c86ed2cb8199..6bcad0d056e7 100644 |
| 12 | +--- a/lib/ssh/src/ssh_sftpd.erl |
| 13 | ++++ b/lib/ssh/src/ssh_sftpd.erl |
| 14 | +@@ -27,7 +27,7 @@ |
| 15 | + -behaviour(ssh_server_channel). |
| 16 | + |
| 17 | + -include_lib("kernel/include/file.hrl"). |
| 18 | +- |
| 19 | ++-include_lib("kernel/include/logger.hrl"). |
| 20 | + -include("ssh.hrl"). |
| 21 | + -include("ssh_xfer.hrl"). |
| 22 | + -include("ssh_connect.hrl"). %% For ?DEFAULT_PACKET_SIZE and ?DEFAULT_WINDOW_SIZE |
| 23 | +@@ -128,9 +128,8 @@ init(Options) -> |
| 24 | + %% Description: Handles channel messages |
| 25 | + %%-------------------------------------------------------------------- |
| 26 | + handle_ssh_msg({ssh_cm, _ConnectionManager, |
| 27 | +- {data, _ChannelId, Type, Data}}, State) -> |
| 28 | +- State1 = handle_data(Type, Data, State), |
| 29 | +- {ok, State1}; |
| 30 | ++ {data, ChannelId, Type, Data}}, State) -> |
| 31 | ++ handle_data(Type, ChannelId, Data, State); |
| 32 | + |
| 33 | + handle_ssh_msg({ssh_cm, _, {eof, ChannelId}}, State) -> |
| 34 | + {stop, ChannelId, State}; |
| 35 | +@@ -187,24 +186,42 @@ terminate(_, #state{handles=Handles, file_handler=FileMod, file_state=FS}) -> |
| 36 | + %%-------------------------------------------------------------------- |
| 37 | + %%% Internal functions |
| 38 | + %%-------------------------------------------------------------------- |
| 39 | +-handle_data(0, <<?UINT32(Len), Msg:Len/binary, Rest/binary>>, |
| 40 | ++handle_data(0, ChannelId, <<?UINT32(Len), Msg:Len/binary, Rest/binary>>, |
| 41 | + State = #state{pending = <<>>}) -> |
| 42 | + <<Op, ?UINT32(ReqId), Data/binary>> = Msg, |
| 43 | + NewState = handle_op(Op, ReqId, Data, State), |
| 44 | + case Rest of |
| 45 | + <<>> -> |
| 46 | +- NewState; |
| 47 | ++ {ok, NewState}; |
| 48 | + _ -> |
| 49 | +- handle_data(0, Rest, NewState) |
| 50 | ++ handle_data(0, ChannelId, Rest, NewState) |
| 51 | + end; |
| 52 | +- |
| 53 | +-handle_data(0, Data, State = #state{pending = <<>>}) -> |
| 54 | +- State#state{pending = Data}; |
| 55 | +- |
| 56 | +-handle_data(Type, Data, State = #state{pending = Pending}) -> |
| 57 | +- handle_data(Type, <<Pending/binary, Data/binary>>, |
| 58 | +- State#state{pending = <<>>}). |
| 59 | +- |
| 60 | ++handle_data(0, _ChannelId, Data, State = #state{pending = <<>>}) -> |
| 61 | ++ {ok, State#state{pending = Data}}; |
| 62 | ++handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) -> |
| 63 | ++ Data = <<Pending/binary, Data0/binary>>, |
| 64 | ++ Size = byte_size(Data), |
| 65 | ++ case Size > ?SSH_MAX_PACKET_SIZE of |
| 66 | ++ true -> |
| 67 | ++ ReportFun = |
| 68 | ++ fun([S]) -> |
| 69 | ++ Report = |
| 70 | ++ #{label => {error_logger, error_report}, |
| 71 | ++ report => |
| 72 | ++ io_lib:format("SFTP packet size (~B) exceeds the limit!", |
| 73 | ++ [S])}, |
| 74 | ++ Meta = |
| 75 | ++ #{error_logger => |
| 76 | ++ #{tag => error_report,type => std_error}, |
| 77 | ++ report_cb => fun(#{report := Msg}) -> {Msg, []} end}, |
| 78 | ++ {Report, Meta} |
| 79 | ++ end, |
| 80 | ++ ?LOG_ERROR(ReportFun, [Size]), |
| 81 | ++ {stop, ChannelId, State}; |
| 82 | ++ _ -> |
| 83 | ++ handle_data(Type, ChannelId, Data, State#state{pending = <<>>}) |
| 84 | ++ end. |
| 85 | ++ |
| 86 | + handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) -> |
| 87 | + XF = State#state.xf, |
| 88 | + Vsn = lists:min([XF#ssh_xfer.vsn, Version]), |
0 commit comments