fixed #515 - unexpected pre-kex message causing panic (#516)

Eugeny · web-flow · commit 5e913966780d · 2025-05-11T16:00:58.000+02:00
diff --git a/russh/Cargo.toml b/russh/Cargo.toml
@@ -110,6 +110,7 @@ tokio = { workspace = true, features = [
   "net",
   "sync",
   "macros",
+  "process",
 ] }
 rand = "0.8.5"
 shell-escape = "0.1"
diff --git a/russh/src/client/mod.rs b/russh/src/client/mod.rs
@@ -39,6 +39,8 @@ use std::convert::TryInto;
 use std::num::Wrapping;
 use std::pin::Pin;
 use std::sync::Arc;
+#[cfg(not(target_arch = "wasm32"))]
+use std::time::Duration;
 
 use futures::task::{Context, Poll};
 use futures::Future;
@@ -47,8 +49,6 @@ use log::{debug, error, trace};
 use russh_util::time::Instant;
 use ssh_encoding::Decode;
 use ssh_key::{Algorithm, Certificate, HashAlg, PrivateKey, PublicKey};
-#[cfg(not(target_arch = "wasm32"))]
-use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, ReadHalf, WriteHalf};
 use tokio::pin;
 use tokio::sync::mpsc::{
diff --git a/russh/src/server/encrypted.rs b/russh/src/server/encrypted.rs
@@ -62,8 +62,10 @@ impl Session {
             rejection_wait_until
         };
 
-        #[allow(clippy::unwrap_used)]
-        let enc = self.common.encrypted.as_mut().unwrap();
+        let Some(enc) = self.common.encrypted.as_mut() else {
+            return Err(Error::Inconsistent.into());
+        };
+
         // If we've successfully read a packet.
         match (&mut enc.state, buf.split_first()) {
             (
diff --git a/russh/src/tests.rs b/russh/src/tests.rs
@@ -564,3 +564,56 @@ mod channels {
         .await;
     }
 }
+
+mod server_kex_junk {
+    use std::sync::Arc;
+
+    use tokio::io::AsyncWriteExt;
+
+    use super::server::Server as _;
+    use super::*;
+
+    #[tokio::test]
+    async fn server_kex_junk_test() {
+        let _ = env_logger::try_init();
+
+        let config = server::Config::default();
+        let config = Arc::new(config);
+        let mut sh = Server {};
+
+        let socket = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let addr = socket.local_addr().unwrap();
+
+        tokio::spawn(async move {
+            let mut client_stream = tokio::net::TcpStream::connect(addr).await.unwrap();
+            client_stream
+                .write_all(b"SSH-2.0-Client_1.0\r\n")
+                .await
+                .unwrap();
+            // Unexpected message pre-kex
+            client_stream.write_all(&[0, 0, 0, 2, 0, 99]).await.unwrap();
+            tokio::time::sleep(std::time::Duration::from_secs(1)).await;
+        });
+
+        let (socket, _) = socket.accept().await.unwrap();
+        let server = sh.new_client(socket.peer_addr().ok());
+        let rs = server::run_stream(config, socket, server).await.unwrap();
+
+        // May not panic
+        assert!(rs.await.is_err());
+    }
+
+    #[derive(Clone)]
+    struct Server {}
+
+    impl server::Server for Server {
+        type Handler = Self;
+        fn new_client(&mut self, _: Option<std::net::SocketAddr>) -> Self {
+            self.clone()
+        }
+    }
+
+    impl server::Handler for Server {
+        type Error = super::Error;
+    }
+}
