From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Tue, 10 Aug 2021 11:23:24 +0000 (+0000)
Subject: Merge pull request #3002 in SNORT/snort3 from ~DANMCGAR/snort3:ssh-bug-fixes to master
X-Git-Tag: 3.1.10.0~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=544267b29754b8fbe01c71d072ef23b63fcd639e;p=thirdparty%2Fsnort3.git

Merge pull request #3002 in SNORT/snort3 from ~DANMCGAR/snort3:ssh-bug-fixes to master

Squashed commit of the following:

commit fc1527ee54af92eea9444658cc3ff6a5df6e3fb2
Author: Daniel McGarvey <danmcgar@cisco.com>
Date:   Fri Aug 6 13:57:31 2021 -0400

    ssh: handle traffic with invalid version string

commit dca39e7620d22ea633db0851bc0c4fcc6a6fd8af
Author: Daniel McGarvey <danmcgar@cisco.com>
Date:   Fri Aug 6 13:49:26 2021 -0400

    ssh: handle version string packets that also contain key exchange data
---

diff --git a/src/service_inspectors/ssh/ssh_splitter.cc b/src/service_inspectors/ssh/ssh_splitter.cc
index 512c0e928..e3fbf6aac 100644
--- a/src/service_inspectors/ssh/ssh_splitter.cc
+++ b/src/service_inspectors/ssh/ssh_splitter.cc
@@ -119,14 +119,20 @@ StreamSplitter::Status SshSplitter::scan(
             return ABORT;
     }
 
-    if ((sessp->state_flags & SSH_FLG_SERV_IDSTRING_SEEN)
-        and (sessp->state_flags & SSH_FLG_CLIENT_IDSTRING_SEEN))
+    if (sessp->state_flags & SSH_FLG_SESS_ENCRYPTED)
+    {
+        state = SSH_PAF_ENCRYPTED;
+    }
+    else if (((flags & PKT_FROM_SERVER) 
+        and (sessp->state_flags & SSH_FLG_SERV_IDSTRING_SEEN))
+        or ((flags & PKT_FROM_CLIENT)
+        and (sessp->state_flags & SSH_FLG_CLIENT_IDSTRING_SEEN)))
     {
         state = SSH_PAF_KEY_EXCHANGE;
     }
-
-    if (sessp->state_flags & SSH_FLG_SESS_ENCRYPTED)
+    else if (!(isprint(data[0]) or isspace(data[0])))
     {
+        sessp->state_flags |= SSH_FLG_MISSED_PACKETS;
         state = SSH_PAF_ENCRYPTED;
     }
 
@@ -134,19 +140,13 @@ StreamSplitter::Status SshSplitter::scan(
     {
     case SSH_PAF_VER_EXCHANGE:
     {
-        uint32_t n = len;
-        const uint8_t* lf = nullptr, * tmp = data;
-
-        while ((tmp = (const uint8_t*)memchr(tmp, '\n', n)))
+        const uint8_t *lf = (const uint8_t*)memchr(data, '\n', len);
+        if (lf)
         {
-            lf = tmp++;
-            n = len - (tmp - data);
+            *fp = lf - data + 1;
+            return FLUSH;
         }
-        if (!lf)
-            return SEARCH;
-
-        *fp = lf - data + 1;
-        return FLUSH;
+        return SEARCH;
     }
     case SSH_PAF_KEY_EXCHANGE:
     {