From 39fc9b73e9eceaefa27c943e63c64b6f3db41682 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Wed, 4 Dec 2019 08:31:47 +0100
Subject: [PATCH] sftp setstat: guard against empty attrs

It seems that there are some clients that sends Setstat requests with
no attrs:

https://github.com/pkg/sftp/issues/325

I haven't never seen this myself, anyway we now return ErrSSHFxBadMessage
and log the client version in such cases
---
 sftpd/handler.go       | 5 +++++
 sftpd/internal_test.go | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/sftpd/handler.go b/sftpd/handler.go
index a6bcb5c4..d352e641 100644
--- a/sftpd/handler.go
+++ b/sftpd/handler.go
@@ -261,6 +261,11 @@ func (c Connection) handleSFTPSetstat(path string, request *sftp.Request) error
 	if setstatMode == 1 {
 		return nil
 	}
+	if len(request.Attrs) < 1 {
+		c.Log(logger.LevelInfo, logSender, "cannot handle Setstat request with no attrs, this is probably a buggy client: %v",
+			c.ClientVersion)
+		return sftp.ErrSSHFxBadMessage
+	}
 	attrFlags := request.AttrFlags()
 	if attrFlags.Permissions {
 		if !c.User.HasPerm(dataprovider.PermChmod) {
diff --git a/sftpd/internal_test.go b/sftpd/internal_test.go
index 5fc75795..5cb4292c 100644
--- a/sftpd/internal_test.go
+++ b/sftpd/internal_test.go
@@ -227,6 +227,12 @@ func TestSetstatModeIgnore(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v setstat should be silently ignore in mode 1", err)
 	}
+	setstatMode = 0
+	req := sftp.NewRequest("Setstat", "invalid")
+	err = connection.handleSFTPSetstat("invalid", req)
+	if err != sftp.ErrSSHFxBadMessage {
+		t.Errorf("unexpected error: %v", err)
+	}
 	setstatMode = originalMode
 }