java.lang.ArrayIndexOutOfBoundsException: 1024

[nicoulaj]

I'm getting this error when trying to use this lib on a shared server with quite a lot of users:

java.lang.ArrayIndexOutOfBoundsException: 1024
    at com.jcraft.jsch.agentproxy.Buffer.getByte(Buffer.java:142)
    at com.jcraft.jsch.agentproxy.Buffer.getShort(Buffer.java:138)
    at com.jcraft.jsch.agentproxy.Buffer.getInt(Buffer.java:123)
    at com.jcraft.jsch.agentproxy.Buffer.getString(Buffer.java:181)
    at com.jcraft.jsch.agentproxy.AgentProxy.getIdentities(AgentProxy.java:112)
    at com.jcraft.jsch.agentproxy.RemoteIdentityRepository.getIdentities(RemoteIdentityRepository.java:47)
    at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:39)
    at com.jcraft.jsch.Session.connect(Session.java:463)
    at com.jcraft.jsch.Session.connect(Session.java:183)

If this can help, in AgentProxy.getIdentities(), I get:

• rcode=0
• count=267
• it crashes at i=127

The factory is NCUSocketFactory. The version of netcat is 1.84 (on CentOS 6.X).

[booiiing]

The root cause is line 71 in AgentProxy, where the buffer is initialized with a size of 1024. A temporary fix would be using a bigger constant here. However, since this project seems to be unmaintained, I am unsure whether it would get a release :(

[kekbur]

For me the exception does not occur when using Pageant 0.61. It does occur with later versions.

[rafaroca]

I believe that there is a bug in AgentProxy.java. buffer.insertLength(); in line 88 inserts the length as int. The buffer.getByte() in line 100 would read the first of the four bytes of this int.

The same goes for all the other methods in this class. I did not test this, but I guess this could fix the issue:

diff --git a/jsch-agent-proxy-core/src/main/java/com/jcraft/jsch/agentproxy/AgentProxy.java b/jsch-agent-proxy-core/src/main/java/com/jcraft/jsch/agentproxy/AgentProxy.java
index 8834150..bb84788 100644
--- a/jsch-agent-proxy-core/src/main/java/com/jcraft/jsch/agentproxy/AgentProxy.java
+++ b/jsch-agent-proxy-core/src/main/java/com/jcraft/jsch/agentproxy/AgentProxy.java
@@ -97,11 +97,11 @@ public class AgentProxy {
       return identities;
     }

+    int count = buffer.getInt();
     int rcode = buffer.getByte();

     check_reply(rcode);
 //System.out.println(rcode == code2);
-    int count = buffer.getInt();
 //System.out.println(count);

     identities = new Identity[count];

[nicoulaj]

Probably not, @ymnk last activity on Github goes back to November 2014.

[lemmy]

At least on Linux, AIOOBE is a red herring! The root cause isn't incorrect code as suspected by @rafaroca. Instead, it seems to be the combination of the underlying Connector reading an invalid value for the environment variable SSH_AUTH_SOCK and AgentProxy improperly handling this error and thus throwing a misleading ArrayIndexOutOfBoundsException.

You can convince yourself that the order in which rcode and count are read from buffer are correct by cross-checking the spec and two alternative implementations.

A sensible fix for the underlying SSH_AUTH_SOCK problem would be a check if process p (see below) is alive. If SSH_AUTH_SOCK is incorrect, p has terminated with a non-null exit value: https://github.com/ymnk/jsch-agent-proxy/blob/12c3d64fc2b0a4fd37659369edfdee26e48954e2/jsch-agent-proxy-usocket-nc/src/main/java/com/jcraft/jsch/agentproxy/usocket/NCUSocketFactory.java#L115