scp doesn't work with large (>2GB) files

Jani Jaakkola jjaakkol at cs.Helsinki.FI
Thu Sep 13 02:56:48 EST 2001


On Wed, 12 Sep 2001, Theo de Raadt wrote:

> This is ridiculous.
>
> It means that any existing program that is not aware of this flag
> will have two divergent behaviours.
>
> That is the kind of bug that results in security holes.  I have tons
> of experience with this, and this is INCREDIBLY dangerous.

Yes, in Linux existing programs that do not use -D_FILE_OFFSET_BITS=64
cannot open or write files larger than 2G (they fail with EFBIG).
Personally I don't think that this poses a great security risk, since
failing to open a file can happen for a myriad of other reasons too.

However, if an existing 32-bit off_t program could open a file larger than
2G, it would be suspect to at least signedness errors when off_t overflows.
And that is one of the reasons for which O_LARGEFILE should not be used
directly.

So, O_LARGEFILE should not be used by openssh.

- Jani




More information about the openssh-unix-dev mailing list