Overview

File CVE-2022-21716-ssh-inf-data.patch of Package python-Twisted.25283

From de90dfe1519e996dd150de751c670f8e03daa089 Mon Sep 17 00:00:00 2001
From: Adi Roiban <adi.roiban@chevah.com>
Date: Mon, 24 Jan 2022 19:09:04 +0000
Subject: [PATCH 1/3] Initial fix for Twisted version string DoS.

---
 twisted/conch/ssh/transport.py       |    9 +++++++++
 twisted/conch/test/test_transport.py |   22 ++++++++++++++++++++++
 twisted/newsfragments/10284.bugfix   |    2 ++
 3 files changed, 33 insertions(+)
 create mode 100644 twisted/newsfragments/10284.bugfix

--- a/twisted/conch/ssh/transport.py
+++ b/twisted/conch/ssh/transport.py
@@ -442,6 +442,15 @@ class SSHTransportBase(protocol.Protocol
         """
         self.buf = self.buf + data
         if not self.gotVersion:
+
+            if len(self.buf) > 4096:
+                self.sendDisconnect(
+                    DISCONNECT_CONNECTION_LOST,
+                    b"Peer version string longer than 4KB. "
+                    b"Preventing a denial of service attack.",
+                )
+                return
+
             if self.buf.find('\n', self.buf.find('SSH-')) == -1:
                 return
             lines = self.buf.split('\n')
--- a/twisted/conch/test/test_transport.py
+++ b/twisted/conch/test/test_transport.py
@@ -413,6 +413,28 @@ class BaseSSHTransportTests(TransportTes
                           "SSH-2.0-Twisted")
 
 
+    def test_dataReceiveVersionNotSentMemoryDOS(self):
+        """
+        When the peer is not sending its SSH version but keeps sending data,
+        the connection is disconnected after 4KB to prevent buffering too
+        much and running our of memory.
+        """
+        sut = MockTransportBase()
+        sut.makeConnection(self.transport)
+
+        # Data can be received over multiple chunks.
+        sut.dataReceived(b"SSH-2-Server-Identifier")
+        sut.dataReceived(b"1234567890" * 406)
+        sut.dataReceived(b"1235678")
+        self.assertFalse(self.transport.disconnecting)
+
+        # Here we are going over the limit.
+        sut.dataReceived(b"1234567")
+        # Once a lot of data is received without an SSH version string,
+        # the transport is disconnected.
+        self.assertTrue(self.transport.disconnecting)
+        self.assertIn(b"Preventing a denial of service attack", self.transport.value())
+
     def test_sendPacketPlain(self):
         """
         Test that plain (unencrypted, uncompressed) packets are sent
--- /dev/null
+++ b/twisted/newsfragments/10284.bugfix
@@ -0,0 +1,2 @@
+twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the
+SSH version string is not sent in the first 4096 bytes.
openSUSE Build Service is sponsored by
Places