"Junk data left to incoming packet buffer after all data processed"

Tue Feb 20 03:45:12 EST 2001

On 2001-02-19 at 17:23 +0100, Markus Friedl gifted us with:
> > I'm using OpenSSH_2.5.0 as currently found in OpenBSD's OPENBSD_2_8 CVS
> > branch.  I'm now finding a strange error when I try to su, _within_ the
> > connection.  The client side is _not_ OpenSSH.
> 
> OpenSSH-2.5.1 has just been released because OpenSSH-2.5.0
> triggered a bug in ssh-1.2.18 up to ssh-1.2.22.

Yeah, I saw the announcement arrive in my mailbox several seconds after
I sent off the request for help/info.  :^/

: OpenSSH 2.5.0p1 was skipped because of interoperability issues with
: ssh-1.2.18 => ssh-1.2.22.

> > The client is running protocol 1.5, and is derived from the SSH.com
> > product.
> 
> what version is it derived from?

1.2.22.  *sighs*  It's internally modified to support some special stuff
internal to my employer, which is not for external release; partly
because it ties into a custom RADIUS system for staff cryptocard
authentication.  "1.2.22j4rad".

> it's a client bug.

:^( :^(

> i can help you fixing the clients or adding bugcompat to openssh,

Ow.  I really dislike the idea of putting bug compatibility into
otherwise clean software; however, if I'm to get our systems migrated to
an OpenSSH based solution, so that we can migrate the staff to using
version 2 clients, this may be necessary.  :^(  Thanks for being willing
to do this.

> but i need 'sshd -d -d -d' for this.

Since you need it, no one else is likely to be interested, and it's got
semi-sensitive (hah, right!) info in, I'll send this directly to you.

> if you want to fix the client look at the diffs between ssh-1.2.22 and ssh-1.2.23
> for the file packet.c and the SSH_MSG_IGNORE handling.

Hrm.  This could be politically awkward, upgrading a couple hundred
client machines, just so that we can later upgrade again.  The logic is
good, but actually getting it approved could be tricky.  I can have a
look.  Where can I get those old tarballs from, to generate the diff?

Thanks again for the help with this.  This is going to be one of those
weeks, especially since I'm on callout duty this week too.  Maybe I
should crawl under a rock.
-- 
Modern technology puts enormously powerful tools in the hands of people
without the mental and ethical training to use them properly.