sftp setstat: guard against empty attrs

It seems that there are some clients that sends Setstat requests with
no attrs:

https://github.com/pkg/sftp/issues/325

I haven't never seen this myself, anyway we now return ErrSSHFxBadMessage
and log the client version in such cases

sftpd/handler.go

@@ -261,6 +261,11 @@ func (c Connection) handleSFTPSetstat(path string, request *sftp.Request) error
 	if setstatMode == 1 {
 		return nil
 	}
+	if len(request.Attrs) < 1 {
+		c.Log(logger.LevelInfo, logSender, "cannot handle Setstat request with no attrs, this is probably a buggy client: %v",
+			c.ClientVersion)
+		return sftp.ErrSSHFxBadMessage
+	}
 	attrFlags := request.AttrFlags()
 	if attrFlags.Permissions {
 		if !c.User.HasPerm(dataprovider.PermChmod) {

sftpd/internal_test.go

@@ -227,6 +227,12 @@ func TestSetstatModeIgnore(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v setstat should be silently ignore in mode 1", err)
 	}
+	setstatMode = 0
+	req := sftp.NewRequest("Setstat", "invalid")
+	err = connection.handleSFTPSetstat("invalid", req)
+	if err != sftp.ErrSSHFxBadMessage {
+		t.Errorf("unexpected error: %v", err)
+	}
 	setstatMode = originalMode
 }