From 9ff231ba932dded5d712bb34fffe1f396d975a2c Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 18 Jan 2017 16:08:01 +0100
Subject: ssh: Reduce info leakage on decrypt errors

Use same message when there are packet errors like too long length, MAC, decrypt or decode errors.
This is regarded as good practise to prevent some attacks
---
 lib/ssh/src/ssh_connection_handler.erl | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'lib/ssh')

diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 7451c9e6d0..8718e92fa2 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -1206,7 +1206,7 @@ handle_event(info, {Proto, Sock, NewData}, StateName, D0 = #data{socket = Sock,
 	    catch
 		_C:_E  ->
 		    disconnect(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-						   description = "Encountered unexpected input"},
+						   description = "Bad packet"},
 			       StateName, D)
 	    end;
 
@@ -1221,13 +1221,12 @@ handle_event(info, {Proto, Sock, NewData}, StateName, D0 = #data{socket = Sock,
 
 	{bad_mac, Ssh1} ->
 	    disconnect(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-					   description = "Bad mac"},
+					   description = "Bad packet"},
 		       StateName, D0#data{ssh_params=Ssh1});
 
-	{error, {exceeds_max_size,PacketLen}} ->
+	{error, {exceeds_max_size,_PacketLen}} ->
 	    disconnect(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-					   description = "Bad packet length "
-					   ++ integer_to_list(PacketLen)},
+					   description = "Bad packet"},
 		       StateName, D0)
     catch
 	_C:_E ->
-- 
cgit v1.2.3