[Bug 1360] Connection aborted on large data -R transfer

Tue Sep 18 05:43:01 EST 2007

http://bugzilla.mindrot.org/show_bug.cgi?id=1360

--- Comment #2 from Jan Kratochvil <jan.kratochvil at redhat.com>  2007-09-18 05:42:54 ---
Created an attachment (id=1349)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1349)
Fix - undo one patch.

IMO the problem is due to the patch:
   - markus at cvs.openbsd.org 2007/06/11 09:14:00
     [channels.h]
     increase default channel windows; ok djm

The attached patch workarounds it (tested only briefly and only the
client side).

The problem is reported from packet.c:
                if (packet_length < 1 + 4 || packet_length > 256 *
1024) {
#ifdef PACKET_DEBUG
                        buffer_dump(&incoming_packet);
#endif
                        packet_disconnect("Bad packet length %u.",
packet_length);
                }
and the code is right - the size like 557056 is definitely > 256KB.

Removing only this check does not help, the server then crashes on:
Sep 17 21:25:45 host1 sshd[4072]: fatal: buffer_append_space: len
1326080 not supported

The tested server (different than in my original bugreport) is:
openssh-4.3p2-19.fc6.i386

I hope there is now enough info for understanding the problem.
I expect you are aware of the window sizes negotiations across SSH
versions and their maximum allowed values permitted by the protocol.

Reproducer is:
$ nc -l 5000 >/dev/null & ssh -vvvv -R 5000:localhost:5000 REMOTE_HOST
'nc </dev/urandom localhost 5000'
(with local x86_64 openssh-4.7 under the test and remote
openssh-4.3p2-19.fc6.i386, running over 11Mbit connection)

-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.