channel->input buffer bug and patch
Ben Lindstrom
mouring at etoh.eviladmin.org
Wed Jul 14 05:00:04 EST 2004
On Tue, 13 Jul 2004, Michael Stevens wrote:
> In our work with enabling large windows for openssh we found
>
> 1) that if a window > 0x10000 is advertised to openssh's sshd
> 2) the sshd tries to send more than 0x10000 bytes of data
> 3) the receiver does not consume them
> 4) the input buffer will grow larger than the size allowed by buffer.c
> and fatal().
>
> We believe the correct behavior is to limit reading into the channel
> input buffer to the maximum buffer size. Attached here is a patch, it
> should work against CVS or portable.
>
> diff -u openssh-3.8.1p1/channels.c openssh-3.8.1p1-bugfix/channels.c
> --- openssh-3.8.1p1/channels.c 2004-01-20 19:02:09.000000000 -0500
> +++ openssh-3.8.1p1-bugfix/channels.c 2004-07-13 09:37:20.000000000 -0400
> @@ -702,6 +702,8 @@
> channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
> {
> u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
> + if (limit > 0x10000)
> + limit = 0x10000;
>
I'm interested in which is returning a greater limit. c->remote_window
or packet_get_maxsize() function. Since both are used all over the place
for checking buffer sizes and such. So if there is a limiting problem I
suspect this may be then the wrong place to handle it.
- Ben
More information about the openssh-unix-dev
mailing list