OpenSSH_6.1p1 sends a SSH packet bigger than 32K

Marian Stanciu mstanciu at
Sat Apr 20 01:44:40 EST 2013

The full SSH_MSG_CHANNEL_DATA packet looks like this:

uint32    packet length
uint32    recipient channel
uint32    nr data bytes
byte[]    data

OpenSSH_6.1p1 considers that the 'maximum packet size' from SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_OPEN_CONFIRMATION impacts only the 'byte[]    data' field and not the entire message (headers included). Section 5.1 from RFC 4254 (which talks about this limitation) leaves room for interpretation when it comes to the 'maximum packet size' because it "specifies the maximum size of an individual data packet that can be sent to the sender" without pointing out if specific headers are included or not.

This is equivalent to a 32768+13 byte packet for the lower layer, the binary packet protocol.

There's another section which somewhat clears things out - section 6.1 from RFC4253. Each SSH Connection Protocol packet (RFC 4254) is encapsulated entirely (headers included) in the binary packet protocol (bpp) payload from the SSH Transport Layer (RFC4253). And the above mentioned section stipulates all implementations must support an uncompressed payload length of 32768 for a bpp packet. Of course, implementations may support even bigger payload lengths and the means to announce it to a partner is through the identification string. In the absence of a specific identification string, a minimal SSH implementation should be assumed, and as such the SSH_MSG_CHANNEL_DATA packet should not surpass 32678 bytes in total.

I searched the mailing list for similar topics, but couldn't find any. Was this subject discussed somewhere? Is it considered a known issue, maybe?

Thank you,

More information about the openssh-unix-dev mailing list