Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 50751

Summary: OpenSSH flooding logs because of big packets received
Product: [Retired] Red Hat Raw Hide Reporter: Olivier Benghozi <olivier.benghozi+redhatbugzilla>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 1.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-08-02 20:42:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Olivier Benghozi 2001-08-02 20:42:30 UTC 
The "maxpack" value negociated between ssh server and a client is not 
always really observed by certain versions of some clients, and is only 
considered as a wish, not an obligation (like in secureFX 1.9.3, since 
1.9.4 does enforce the limitation). This is not really a problem since it 
doesn't prevent both sides to communicate, even with big packets. There's 
no problem with that with sshd2 from ssh.com.
This is also not a problem with opensshd 2.9p2, EXCEPT that it floods logs 
(/var/log/secure) with some useless things:


Logs:
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31092, 
maxpack 16384
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31064, 
maxpack 16384
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31036, 
maxpack 16384
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 31008, 
maxpack 16384
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 30980, 
maxpack 16384
Jul  6 22:01:43 limace sshd[17669]: channel 0: rcvd big packet 30952, 
maxpack 16384
etc...


Flooding logs can be a way of DoS.
So it seems to me that this is really only DEBUG information.
In those conditions, I think the log() ought to be replaced by a debug() 
like this:


Patch diff:

--- openssh-2.9p2/channels.c.old        Fri Jul 20 23:03:47 2001
+++ openssh-2.9p2/channels.c    Fri Jul 20 23:04:08 2001
@@ -1315,11 +1315,11 @@
 
        if (compat20){
                if (data_len > c->local_maxpacket) {
-                       log("channel %d: rcvd big packet %d, maxpack %d",
+                       debug("channel %d: rcvd big packet %d, maxpack %d",
                            c->self, data_len, c->local_maxpacket);
                }
                if (data_len > c->local_window) {
-                       log("channel %d: rcvd too much data %d, win %d",
+                       debug("channel %d: rcvd too much data %d, win %d",
                            c->self, data_len, c->local_window);
                        xfree(data);
                        return;





-------------
If someone considers 'too much data' is not only a debug information, 'big 
packet received' not creating communication problem nor bufferoverflowing 
anything is really a debug information.
Comment 1 Nalin Dahyabhai 2001-09-06 12:50:56 UTC 
This change will be integrated into 2.9p2-7 and later.  Thanks!