Bug 39727

Summary: strange message in log
Product: [Retired] Red Hat Linux Reporter: Need Real Name <mal>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-03 09:04:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2001-05-08 23:21:46 UTC 
The SSH prints strange message in /var/log/messages

May  8 17:08:49 imap1 sshd[11179]: Received disconnect from 1.2.3.4: 11:
^\u^R

The "11:^\u^R" is this OK, or some this is some garbage 
which was put to the /var/log/messages because of a bug in sshd

The SSH version is:
rpm -q openssh 
openssh-2.5.2p2-1.7.2
Comment 1 Pekka Savola 2001-05-11 20:41:45 UTC 
Depends on what kind of circumstance you got it in.  It should contain the reason for disconnecting.

Using:
openssh-2.5.2p2-1.6.2

I've gotten e.g.:

May  9 09:17:07 xxx sshd[26924]: Received disconnect from aaa.bbb.1.97: 11: Disconnect requested by Windows SSH Client.
May  9 13:26:28 xxx sshd[23428]: Received disconnect from aaa.bbb.2.38: 13: Authentication cancelled by user.
Comment 2 Need Real Name 2001-05-11 20:58:24 UTC 
I do not have a reason. Just some garbage printed instead:

Apr 30 12:02:11 xxx sshd[14539]: Received disconnect from 1.2.3.4: 11: XX^R
It is sililar to yours (11: there, but no error message, just some random
symbols).

Also I tested this on two computers (both RedHat 7.0 will all updates).
In both log I have same error messages with random data printed

rpm -q openssh
openssh-2.5.2p2-1.7.2
Comment 3 Need Real Name 2001-05-11 21:06:54 UTC 
I checked few logs the strings printed there may be:
XX^R
^\S^R
X<FB>^R
^H<F7>^R

The client is ssh 2.0.12 from DataFellows, seems some string from 
the data went directly to log.
Comment 4 Pekka Savola 2001-05-11 21:15:04 UTC 
My logs show this happening once on a RHL62 system with 2.5.2p2.  The connecting client is most probably
some old Windows one; Data Fellows might not be a bad bet.

The string there is printed from the packet by buffer_get_string function as intended.  The client isn't just
recording anything sane in there.  I suspect a client-side bug, but I don't see this very interesting issue unless
the client is acting so oddly that it hinders the normal use ;-)

I suggest resolving this as NOTABUG.
Comment 5 Need Real Name 2001-05-11 21:19:14 UTC 
The only question I have: is this save to put a string read
from a client directly to log. 

Should the string be escaped or something else done with it?
Comment 6 Pekka Savola 2001-05-11 21:23:54 UTC 
The string is limited to 400 characters, normal format string attack methods don't work with it, and NULL is added at the end of 
it.  It should be as safe as you can get.