Bug 39727 - strange message in log
strange message in log
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-05-08 19:21 EDT by Need Real Name
Modified: 2007-04-18 12:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-03 04:04:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-05-08 19:21:46 EDT
The SSH prints strange message in /var/log/messages

May  8 17:08:49 imap1 sshd[11179]: Received disconnect from 1.2.3.4: 11:
^\u^R

The "11:^\u^R" is this OK, or some this is some garbage 
which was put to the /var/log/messages because of a bug in sshd

The SSH version is:
rpm -q openssh 
openssh-2.5.2p2-1.7.2
Comment 1 Pekka Savola 2001-05-11 16:41:45 EDT
Depends on what kind of circumstance you got it in.  It should contain the reason for disconnecting.

Using:
openssh-2.5.2p2-1.6.2

I've gotten e.g.:

May  9 09:17:07 xxx sshd[26924]: Received disconnect from aaa.bbb.1.97: 11: Disconnect requested by Windows SSH Client.
May  9 13:26:28 xxx sshd[23428]: Received disconnect from aaa.bbb.2.38: 13: Authentication cancelled by user.

Comment 2 Need Real Name 2001-05-11 16:58:24 EDT
I do not have a reason. Just some garbage printed instead:

Apr 30 12:02:11 xxx sshd[14539]: Received disconnect from 1.2.3.4: 11: XX^R
It is sililar to yours (11: there, but no error message, just some random
symbols).

Also I tested this on two computers (both RedHat 7.0 will all updates).
In both log I have same error messages with random data printed

rpm -q openssh
openssh-2.5.2p2-1.7.2

Comment 3 Need Real Name 2001-05-11 17:06:54 EDT
I checked few logs the strings printed there may be:
XX^R
^\S^R
X<FB>^R
^H<F7>^R

The client is ssh 2.0.12 from DataFellows, seems some string from 
the data went directly to log.
Comment 4 Pekka Savola 2001-05-11 17:15:04 EDT
My logs show this happening once on a RHL62 system with 2.5.2p2.  The connecting client is most probably
some old Windows one; Data Fellows might not be a bad bet.

The string there is printed from the packet by buffer_get_string function as intended.  The client isn't just
recording anything sane in there.  I suspect a client-side bug, but I don't see this very interesting issue unless
the client is acting so oddly that it hinders the normal use ;-)

I suggest resolving this as NOTABUG.
Comment 5 Need Real Name 2001-05-11 17:19:14 EDT
The only question I have: is this save to put a string read
from a client directly to log. 

Should the string be escaped or something else done with it?
Comment 6 Pekka Savola 2001-05-11 17:23:54 EDT
The string is limited to 400 characters, normal format string attack methods don't work with it, and NULL is added at the end of 
it.  It should be as safe as you can get.

Note You need to log in before you can comment on or make changes to this bug.