Using realloc to remove MAX_LISTEN_SOCKS limit on sshd.c
dan at aoindustries.com
Wed Dec 24 04:59:51 EST 2008
I fully agree that there is no DoS aspect to this.
As for the patch, it is very simple. It doesn't change the
functionality of sshd in any way. It just takes a fixed-size array and
replaces it with a dynamically-growable version. The use of
predetermined-size arrays, as done in C code everywhere, is sometimes in
appropriate and gets in the way of using the software. I have been
submitting patches similar to this to various open source projects as
they affect me.
We have the need for more than 15 binds. In our virtual hosting
environment, users can select exactly which services they want enabled
on a per-IP basis. Also, we don't bind to 0.0.0.0 because one of our
fail-over techniques is to run multiple servers in different chroot
environments. Thus, we have different sshd instances running, one per
chroot environment, each binding to the specific set of IP addresses
associated with the chroot environment.
I guess my #1 concern is that once you hit the limit, your sshd is
dead. You can't login. You can't get in there to fix the config file
to get your sshd back online. If you guys don't like the use of realloc
to handle any number of ListenAddress, please at least bind to the first
MAX_LISTEN_SOCKS and syslog/stderr warnings about the extras, instead of
leaving a dead sshd. I can submit a patch for this behavior, if you like.
Please add the patch. It simply allows the software to do what it is
told without the risk of a surprise dead sshd.
AO Industries, Inc.
dan at aoindustries.com
Work: (251) 607-9556
Cell: (205) 454-2556
Ben Lindstrom wrote:
> On Dec 21, 2008, at 11:34 AM, Peter Teoh wrote:
>> Dan Armstrong wrote:
>>> OpenSSH developers,
>>> I have removed the fixed, arbitrary limit on the number of
>>> ListenAddress allowed by using realloc to dynamically expand
>>> listen_socks as needed. This completely removes MAX_LISTEN_SOCKS from
>>> the source. I made this change on the version of OpenSSH shipped with
>>> CentOS 5.2, version 4.3p2. Please see the attached .c file and .diff
>>> file. Please add these changes to OpenSSH to save people from having
>>> to predetermine their workload before compilation. It can also save
>>> some people some grief - I've been unable to login to a server because
>>> of this one.
>> Sorry if I may ask the risks of this option - will it not lead to any
>> potential scenario of Denial of Service, if some how the number of
>> ListenAddress can be arbitrarily increase without limit, and thus
>> leading to realloc() allocating large amount of memory?
> I can't see how this would be a "DoS", since ListenAddress must be set
> by the server on launch. One can flood a single port just as easy as
> they can flood multiple ports.
> I'm still trying to figure out why one would want OpenSSH listening on
> more than 15 ports/address combination. Is it really worth the added
> - Ben
More information about the openssh-unix-dev