In https://tools.ietf.org/html/rfc4254#section-5.4 The following layout is described for Channel-Specific Requests:
byte SSH_MSG_CHANNEL_REQUEST uint32 recipient channel string request type in US-ASCII characters only boolean want reply .... type-specific data follows
We take the want reply byte within
server_read_authenticated when matching
msg::CHANNEL_REQUEST, but then we take it again after matching the
req_type. This is causing an error as the positioning of the buffer is then off by one.