[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssh-unix-dev
Subject:    Re: channel->input buffer bug and patch
From:       Ben Lindstrom <mouring () etoh ! eviladmin ! org>
Date:       2004-07-13 19:00:04
Message-ID: Pine.BSO.4.44.0407131356580.27675-100000 () etoh ! eviladmin ! org
[Download RAW message or body]



On Tue, 13 Jul 2004, Michael Stevens wrote:

> In our work with enabling large windows for openssh we found
>
> 1) that if a window > 0x10000 is advertised to openssh's sshd
> 2) the sshd tries to send more than 0x10000 bytes of data
> 3) the receiver does not consume them
> 4) the input buffer will grow larger than the size allowed by buffer.c
> and fatal().
>
> We believe the correct behavior is to limit reading into the channel
> input buffer to the maximum buffer size. Attached here is a patch, it
> should work against CVS or portable.
>
> diff -u openssh-3.8.1p1/channels.c openssh-3.8.1p1-bugfix/channels.c
> --- openssh-3.8.1p1/channels.c  2004-01-20 19:02:09.000000000 -0500
> +++ openssh-3.8.1p1-bugfix/channels.c   2004-07-13 09:37:20.000000000 -0400
> @@ -702,6 +702,8 @@
>  channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
>  {
>         u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
> +       if (limit > 0x10000)
> +               limit = 0x10000;
>

I'm interested in which is returning a greater limit.  c->remote_window
or packet_get_maxsize() function.  Since both are used all over the place
for checking buffer sizes and such.  So if there is a limiting problem I
suspect this may be then the wrong place to handle it.

- Ben

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]