[Bug 3098] remote channel ID seems to be checked with a wrong number

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 26 23:12:42 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=3098

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Takashi Hashida from comment #0)
> https://github.com/openssh/openssh-portable/commit/
> 7ec5cb4d15ed2f2c5c9f5d00e6b361d136fc1e2d#diff-
> 68e5826568dd6f49d090ff4387c220d6R684
> 
> At this commit, remote channel ID upper bound is checked with
> INT_MAX.
> However, it seems that the remote channel ID is uint_32.
> https://tools.ietf.org/html/rfc4254#section-5.1

In the protocol it is, however in the code until this commit it in the
channels struct was an int:
https://github.com/openssh/openssh-portable/commit/9f53229c2

I think what you found is a remnant of some tangled history: the rework
to switch to the new API took a long time and was out-of-tree, so I
suspect the tests you found date back to before the int->uint32_t
change.  The other clue that this is the case is that after the INT_MAX
check rchan is cast to int, which would make sense if remote_id was
still an int:

    c->remote_id = (int)rchan;

As it is I think the test would disallow valid channel ids, can't be
changed into anything sensible (since all 2**32 ids expressible by a
uint32_t are equally valid) and should be deleted.

That still leaves the question of why it's a uint32_t in the header,
but u_int in the function arguments that handle channel ids.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list