[Bug 1360] Connection aborted on large data -R transfer

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Sep 18 05:43:01 EST 2007


--- Comment #2 from Jan Kratochvil <jan.kratochvil at redhat.com>  2007-09-18 05:42:54 ---
Created an attachment (id=1349)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1349)
Fix - undo one patch.

IMO the problem is due to the patch:
   - markus at cvs.openbsd.org 2007/06/11 09:14:00
     increase default channel windows; ok djm

The attached patch workarounds it (tested only briefly and only the
client side).

The problem is reported from packet.c:
                if (packet_length < 1 + 4 || packet_length > 256 *
1024) {
                        packet_disconnect("Bad packet length %u.",
and the code is right - the size like 557056 is definitely > 256KB.

Removing only this check does not help, the server then crashes on:
Sep 17 21:25:45 host1 sshd[4072]: fatal: buffer_append_space: len
1326080 not supported

The tested server (different than in my original bugreport) is:

I hope there is now enough info for understanding the problem.
I expect you are aware of the window sizes negotiations across SSH
versions and their maximum allowed values permitted by the protocol.

Reproducer is:
$ nc -l 5000 >/dev/null & ssh -vvvv -R 5000:localhost:5000 REMOTE_HOST
'nc </dev/urandom localhost 5000'
(with local x86_64 openssh-4.7 under the test and remote
openssh-4.3p2-19.fc6.i386, running over 11Mbit connection)

Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list