This is an automated email from the ASF dual-hosted git repository. twolf pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 8f6e96ff92b0ca24387fd5209b0b62c102cf2481 Author: Thomas Wolf <[email protected]> AuthorDate: Thu Jun 6 19:43:21 2024 +0200 Comment fixes --- .../apache/sshd/common/session/helpers/AbstractSession.java | 12 +++++++----- .../apache/sshd/common/session/helpers/SessionHelper.java | 2 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java index c62b28eaf..482e040a1 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java @@ -1612,13 +1612,15 @@ public abstract class AbstractSession extends SessionHelper { if (!lengthOK) { decoderBuffer.dumpHex(getSimplifiedLogger(), Level.FINEST, "decode(" + this + ") invalid length packet", this); - // Mitigation against CVE-2008-5161 AKA CPNI-957037: make any disconnections due to decoding errors indistinguishable. + // Mitigation against CVE-2008-5161 AKA CPNI-957037: make any disconnections due to decoding + // errors indistinguishable from failed MAC checks. // - // If we disconnect here, a client may still deduce (since it sent only one block) that the length check failed. - // So we keep on requesting more data and fail later. OpenSSH actually discards the next 256kB of data, but in fact - // any number of bytes will do. + // If we disconnect here, a client may still deduce (since it sent only one block) that the + // length check failed. So we keep on requesting more data and fail later. OpenSSH actually + // discards the next 256kB of data, but in fact any number of bytes will do. // - // Remember the exception, continue requiring an arbitrary number of bytes, and throw the exception later. + // Remember the exception, continue requiring an arbitrary number of bytes, and throw the + // exception later. discarding = new SshException(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR, "Invalid packet length: " + decoderLength); decoderLength = decoderBuffer.available() + (2 + random.random(20)) * inCipherSize; diff --git a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/SessionHelper.java b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/SessionHelper.java index 55ae75ea2..993f5de46 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/SessionHelper.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/SessionHelper.java @@ -1191,7 +1191,7 @@ public abstract class SessionHelper extends AbstractKexFactoryManager implements switch (reason) { case SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR: case SshConstants.SSH2_DISCONNECT_MAC_ERROR: - // OpenSSH *always* sends back DISCONNECT_PROTOCOL_ERROR + // OpenSSH *always* sends back DISCONNECT_PROTOCOL_ERROR. buffer.putInt(SshConstants.SSH2_DISCONNECT_PROTOCOL_ERROR); // Yes, we don't tell the peer what exactly was wrong. buffer.putString("Protocol error or corrupt packet");
