File 1332-ssh-verify-file-handle-size-limit-for-client-data.patch of Package erlang
From 4e3bf86777ab3db7220c11d8ddabf15970ddd10a Mon Sep 17 00:00:00 2001
From: Jakub Witczak <kuba@erlang.org>
Date: Wed, 27 Aug 2025 17:49:08 +0200
Subject: [PATCH 1/2] ssh: verify file handle size limit for client data
- reject handles exceeding 256 bytes (as specified for SFTP)
---
lib/ssh/src/ssh_sftpd.erl | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
index e7c51cc948..eb8637eca8 100644
--- a/lib/ssh/src/ssh_sftpd.erl
+++ b/lib/ssh/src/ssh_sftpd.erl
@@ -259,6 +259,17 @@ handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) ->
handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
end.
+%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be longer than 256 bytes."
+handle_op(Request, ReqId, <<?UINT32(HLen), _/binary>>, State = #state{xf = XF})
+ when (Request == ?SSH_FXP_CLOSE orelse
+ Request == ?SSH_FXP_FSETSTAT orelse
+ Request == ?SSH_FXP_FSTAT orelse
+ Request == ?SSH_FXP_READ orelse
+ Request == ?SSH_FXP_READDIR orelse
+ Request == ?SSH_FXP_WRITE),
+ HLen > 256 ->
+ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid handle"),
+ State;
handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
XF = State#state.xf,
Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
--
2.51.0