[openssh-commits] [openssh] 05/12: upstream: stricter handling of channel window limits

Tue Dec 19 02:08:05 AEDT 2023

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch V_9_6
in repository openssh.

commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:47:20 2023 +0000

    upstream: stricter handling of channel window limits
    
    This makes ssh/sshd more strict in handling non-compliant peers that
    send more data than the advertised channel window allows. Previously
    the additional data would be silently discarded. This change will
    cause ssh/sshd to terminate the connection if the channel window is
    exceeded by more than a small grace allowance.
    
    ok markus@
    
    OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
---
 channels.c | 19 ++++++++++++++-----
 channels.h |  3 ++-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/channels.c b/channels.c
index 38135e5a..20f31dad 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.434 2023/11/15 22:51:49 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.435 2023/12/18 14:47:20 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -3407,11 +3407,20 @@ channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
 		return 0;
 	}
 	if (win_len > c->local_window) {
-		logit("channel %d: rcvd too much data %zu, win %u",
-		    c->self, win_len, c->local_window);
-		return 0;
+		c->local_window_exceeded += win_len - c->local_window;
+		logit("channel %d: rcvd too much data %zu, win %u/%u "
+		    "(excess %u)", c->self, win_len, c->local_window,
+		    c->local_window_max, c->local_window_exceeded);
+		c->local_window = 0;
+		/* Allow 10% grace before bringing the hammer down */
+		if (c->local_window_exceeded > (c->local_window_max / 10)) {
+			ssh_packet_disconnect(ssh, "channel %d: peer ignored "
+			    "channel window", c->self);
+		}
+	} else {
+		c->local_window -= win_len;
+		c->local_window_exceeded = 0;
 	}
-	c->local_window -= win_len;
 
 	if (c->datagram) {
 		if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
diff --git a/channels.h b/channels.h
index 3054b04d..bb2650f6 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.153 2023/11/15 22:51:49 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.154 2023/12/18 14:47:20 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -170,6 +170,7 @@ struct Channel {
 	u_int	remote_window;
 	u_int	remote_maxpacket;
 	u_int	local_window;
+	u_int	local_window_exceeded;
 	u_int	local_window_max;
 	u_int	local_consumed;
 	u_int	local_maxpacket;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
