From 11898f02683308aedaee0bf07959f852aeb702de Mon Sep 17 00:00:00 2001
From: Alexander Gozman <a.gozman@securitycode.ru>
Date: Fri, 4 May 2018 07:15:58 +0000
Subject: SSH: increase client's maximum payload length from 100 to 500

According to RFC4253, a client may send additional data right after
its identification string (before receiving the server's identification
string). For instance, PuTTY sends supported ciphers. This exceeds
100 bytes and nDPI fails to detect such SSH sessions.
---
 src/lib/protocols/ssh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/lib/protocols/ssh.c')

diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index bfd1c387e..0045fe69e 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -63,7 +63,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
       return;
     }
   } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) {
-    if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100
+    if (packet->payload_packet_len > 7 && packet->payload_packet_len < 500
 	&& memcmp(packet->payload, "SSH-", 4) == 0) {
       int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len);
       strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len);
-- 
cgit v1.2.3