Panic on overflow in subtraction

[daniellockyer]

Found using cargo-fuzz.

extern crate ssh_parser;

fn main() {
    let data = b"\x00\x00\x00\x00\x00\x00\x00\x00";
    let _ = ssh_parser::parse_ssh_packet(data);
}

thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/ssh.rs:351
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:355
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:371
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:549
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:511
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:495
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:471
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:69
   9: core::panicking::panic
             at /checkout/src/libcore/panicking.rs:49
  10: ssh_parser::ssh::parse_ssh_packet
             at src/ssh.rs:351
  11: rust_fuzzer_test_input
             at fuzz/fuzzers/fuzzer_script_1.rs:6
  12: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/src/lib.rs:11
  13: std::panicking::try::do_call
             at /checkout/src/libstd/panicking.rs:454
  14: <unknown>
             at /checkout/src/libpanic_abort/lib.rs:40
==2713== ERROR: libFuzzer: deadly signal
    #0 0x5556b31e6aa3 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5556b3092bb1 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5556b3092afb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5556b30b02ed in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f0326ed4fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f0326936a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f0326938139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5556b3117278 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5556b3117278 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 3 ChangeBinInt-EraseBytes-CMP- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: f962cb5827b3fc32cfe0eeb4b3034c067e34138e
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00

Down to the following line: https://github.com/rusticata/ssh-parser/blob/master/src/ssh.rs#L351.

[nizox]

Thanks!