Using realloc to remove MAX_LISTEN_SOCKS limit on sshd.c

Dan Armstrong dan at aoindustries.com
Wed Dec 24 04:59:51 EST 2008 

Ben,

I fully agree that there is no DoS aspect to this.

As for the patch, it is very simple.  It doesn't change the 
functionality of sshd in any way.  It just takes a fixed-size array and 
replaces it with a dynamically-growable version.  The use of 
predetermined-size arrays, as done in C code everywhere, is sometimes in 
appropriate and gets in the way of using the software.  I have been 
submitting patches similar to this to various open source projects as 
they affect me.

We have the need for more than 15 binds.  In our virtual hosting 
environment, users can select exactly which services they want enabled 
on a per-IP basis.  Also, we don't bind to 0.0.0.0 because one of our 
fail-over techniques is to run multiple servers in different chroot 
environments.  Thus, we have different sshd instances running, one per 
chroot environment, each binding to the specific set of IP addresses 
associated with the chroot environment.

I guess my #1 concern is that once you hit the limit, your sshd is 
dead.  You can't login.  You can't get in there to fix the config file 
to get your sshd back online.  If you guys don't like the use of realloc 
to handle any number of ListenAddress, please at least bind to the first 
MAX_LISTEN_SOCKS and syslog/stderr warnings about the extras, instead of 
leaving a dead sshd.  I can submit a patch for this behavior, if you like.

Please add the patch.  It simply allows the software to do what it is 
told without the risk of a surprise dead sshd.


Thank you,

Dan Armstrong
AO Industries, Inc.
dan at aoindustries.com
Work: (251) 607-9556
Cell: (205) 454-2556



Ben Lindstrom wrote:
>
> On Dec 21, 2008, at 11:34 AM, Peter Teoh wrote:
>
>> Dan Armstrong wrote:
>>> OpenSSH developers,
>>>
>>> I have removed the fixed, arbitrary limit on the number of
>>> ListenAddress allowed by using realloc to dynamically expand
>>> listen_socks as needed.  This completely removes MAX_LISTEN_SOCKS from
>>> the source.  I made this change on the version of OpenSSH shipped with
>>> CentOS 5.2, version 4.3p2.  Please see the attached .c file and .diff
>>> file.  Please add these changes to OpenSSH to save people from having
>>> to predetermine their workload before compilation.  It can also save
>>> some people some grief - I've been unable to login to a server because
>>> of this one.
>>
>> Sorry if I may ask the risks of this option - will it not lead to any
>> potential scenario of Denial of Service, if some how the number of
>> ListenAddress can be arbitrarily increase without limit, and thus
>> leading to realloc() allocating large amount of memory?
>>
>
> I can't see how this would be a "DoS", since ListenAddress must be set 
> by the server on launch.  One can flood a single port just as easy as 
> they can flood multiple ports.
>
> I'm still trying to figure out why one would want OpenSSH listening on 
> more than 15 ports/address combination.  Is it really worth the added 
> complexity?
>
> - Ben

More information about the openssh-unix-dev mailing list