Using realloc to remove MAX_LISTEN_SOCKS limit on sshd.c

Peter Stuge peter at stuge.se
Tue Dec 23 12:43:06 EST 2008 

Hi,

Dan Armstrong wrote:
> I made this change on the version of OpenSSH shipped with CentOS
> 5.2, version 4.3p2.

In the future please make changes against the latest version of the
source code which is available via anonymous CVS. Your change is not
too big, so hopefully it doesn't require very much work to forward
port onto the the latest version.


> Please see the attached .c file and .diff file.

When sending patches in the future please send only the diff output,
and most groups prefer the unified diff format (diff -U) because it
is a lot easier to read.


> 148,149c148,149
> < #define	MAX_LISTEN_SOCKS	16
> < int listen_socks[MAX_LISTEN_SOCKS];
> ---
> > int *listen_socks = NULL;
> > int listen_socks_len = 0;
> 1281,1283d1280
> < 			if (num_listen_socks >= MAX_LISTEN_SOCKS)
> < 				fatal("Too many listen sockets. "
> < 				    "Enlarge MAX_LISTEN_SOCKS");
> 1321a1319,1334
> > 			/* Create/expand listen_socks as needed */
> > 			if(num_listen_socks >= listen_socks_len) {
> > 				int *old_listen_socks = listen_socks;
> > 				/* Start at 16 and then double as needed */
> > 				int new_listen_socks_len = listen_socks_len == 0 ? 16 : (listen_socks_len << 1);
> > 				listen_socks = realloc(listen_socks, new_listen_socks_len * sizeof(int));
> > 				if(listen_socks == NULL) {
> > 					free(old_listen_socks);
> > 					old_listen_socks = NULL;
> > 					listen_socks_len = 0;
> > 					fatal("realloc listen_socks: %s", strerror(errno));
> > 				} else {
> > 					listen_socks_len = new_listen_socks_len;
> > 				}
> > 			}

I'm not sure.. I would probably just increase MAX_LISTEN_SOCKS.

Alternatively perhaps the server you couldn't log in to could set
something up with a wildcard listen and a few firewall rules?


Peter Teoh wrote:
> Sorry if I may ask the risks of this option - will it not lead to
> any potential scenario of Denial of Service, if some how the number
> of ListenAddress can be arbitrarily increase without limit, and
> thus leading to realloc() allocating large amount of memory?

It's not a problem. This code runs once at server startup. Whoever is
running sshd could use it to allocate large amounts of memory, but
they could just as easily build another program which does the same
thing. The protection against this situation is to configure limits,
maybe using ulimit.


//Peter

More information about the openssh-unix-dev mailing list