Packet transform errors kill the server

mscdex / ssh2-streams

SSH2 and SFTP client/server protocol streams for node.js

MIT License

204 stars 143 forks source link

Packet transform errors kill the server #166

Open AlexandraK opened 4 years ago

AlexandraK commented 4 years ago

I'm using this with the SSH2 module to run a SFTP server. With one SFTP client the packet size on write is larger than what this module expects (> 34000), so the module throws an error (line 296 of sftp.js), but the error cannot be caught anywhere.

I think this is a serious security issue. Basically any client can crash a SFTP server just by sending some non-standard packets, and server cannot do anything about it

mscdex commented 4 years ago

Like all EventEmitters in node, you can attach an 'error' event handler on the (sftp instance) object.