Re: Buffering problems in ssh2.lua

[David Fifield <david () bamsoftware com>]

On Mon, Jun 15, 2009 at 01:49:17AM -0300, Joao Correa wrote:
> Here follows a patch for correcting the problem. I've tested it with
> the command provided by David and also without using the perl lines
> (without forcing packet fragmentation), the script worked fine in both
> cases. The result also was the same obtained executing the script with
> the original ssh2.lua file and without forcing packet fragmentation.

Thanks, you have the right idea with this patch.

>    local kex_init
> -  status, kex_init = socket:receive_bytes(1)
> +  local kex_data
> +  local kex_aux
> +  status, kex_data = socket:receive_bytes(1)
>    if not status then socket:close(); return end
> -  kex_init = transport.parse_kex_init( transport.payload( kex_init ) )
> +  kex_init = transport.payload(kex_data)
> +  while not kex_init do
> +    status, kex_aux = socket:receive_bytes(1)
> +    if status then kex_data = kex_data .. kex_aux end
> +    kex_init = transport.payload(kex_data)
> +  end
> +  kex_init = transport.parse_kex_init(kex_init)

What happens if the final receive_bytes, the one that gets the end of
the SSH-2 packet, also get the beginning of the next packet? It will be
discarded and any further reads will be broken. That is why I think
there should be a read_packet function, with an internal buffer, so that
bytes don't get lost like this. Making it a separate function would also
keep you from having to duplicate the read loop in two different places.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org