ssh2-streams icon indicating copy to clipboard operation
ssh2-streams copied to clipboard

Published 20 hours ago verified publisher icon mscdex

Packet transform errors kill the server

Open AlexandraK opened this issue 4 years ago • 1 comments

I'm using this with the SSH2 module to run a SFTP server. With one SFTP client the packet size on write is larger than what this module expects (> 34000), so the module throws an error (line 296 of sftp.js), but the error cannot be caught anywhere.

I think this is a serious security issue. Basically any client can crash a SFTP server just by sending some non-standard packets, and server cannot do anything about it

AlexandraK avatar Aug 30 '20 09:08 AlexandraK

Like all EventEmitters in node, you can attach an 'error' event handler on the (sftp instance) object.

mscdex avatar Sep 14 '20 12:09 mscdex