Merge pull request from GHSA-rv6r-3f5q-9rgx

[Fix twisted#10284] Fix out of memory deny of service for conch ssh version string handling during handshake.
vmario · Feb 8, 2022 · 98387b3 · 98387b3
2 parents a6849d4 + a4523b4
commit 98387b3
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py
@@ -728,6 +728,15 @@ def dataReceived(self, data):
         """
         self.buf = self.buf + data
         if not self.gotVersion:
+
+            if len(self.buf) > 4096:
+                self.sendDisconnect(
+                    DISCONNECT_CONNECTION_LOST,
+                    b"Peer version string longer than 4KB. "
+                    b"Preventing a denial of service attack.",
+                )
+                return
+
             if self.buf.find(b"\n", self.buf.find(b"SSH-")) == -1:
                 return
 

diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py
@@ -515,6 +515,28 @@ def test_sendVersion(self):
         )
         self.assertRegex(softwareVersion, softwareVersionRegex)
 
+    def test_dataReceiveVersionNotSentMemoryDOS(self):
+        """
+        When the peer is not sending its SSH version but keeps sending data,
+        the connection is disconnected after 4KB to prevent buffering too
+        much and running our of memory.
+        """
+        sut = MockTransportBase()
+        sut.makeConnection(self.transport)
+
+        # Data can be received over multiple chunks.
+        sut.dataReceived(b"SSH-2-Server-Identifier")
+        sut.dataReceived(b"1234567890" * 406)
+        sut.dataReceived(b"1235678")
+        self.assertFalse(self.transport.disconnecting)
+
+        # Here we are going over the limit.
+        sut.dataReceived(b"1234567")
+        # Once a lot of data is received without an SSH version string,
+        # the transport is disconnected.
+        self.assertTrue(self.transport.disconnecting)
+        self.assertIn(b"Preventing a denial of service attack", self.transport.value())
+
     def test_sendPacketPlain(self):
         """
         Test that plain (unencrypted, uncompressed) packets are sent

diff --git a/src/twisted/newsfragments/10284.bugfix b/src/twisted/newsfragments/10284.bugfix
@@ -0,0 +1,2 @@
+twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the
+SSH version string is not sent in the first 4096 bytes.