channel->input buffer bug and patch
Michael Stevens
stevensm at gmail.com
Wed Jul 14 04:15:35 EST 2004
In our work with enabling large windows for openssh we found
1) that if a window > 0x10000 is advertised to openssh's sshd
2) the sshd tries to send more than 0x10000 bytes of data
3) the receiver does not consume them
4) the input buffer will grow larger than the size allowed by buffer.c
and fatal().
We believe the correct behavior is to limit reading into the channel
input buffer to the maximum buffer size. Attached here is a patch, it
should work against CVS or portable.
diff -u openssh-3.8.1p1/channels.c openssh-3.8.1p1-bugfix/channels.c
--- openssh-3.8.1p1/channels.c 2004-01-20 19:02:09.000000000 -0500
+++ openssh-3.8.1p1-bugfix/channels.c 2004-07-13 09:37:20.000000000 -0400
@@ -702,6 +702,8 @@
channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
{
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+ if (limit > 0x10000)
+ limit = 0x10000;
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
Common subdirectories: openssh-3.8.1p1/contrib and
openssh-3.8.1p1-bugfix/contrib
Common subdirectories: openssh-3.8.1p1/openbsd-compat and
openssh-3.8.1p1-bugfix/openbsd-compat
Common subdirectories: openssh-3.8.1p1/regress and
openssh-3.8.1p1-bugfix/regress
Common subdirectories: openssh-3.8.1p1/scard and openssh-3.8.1p1-bugfix/scard
More information about the openssh-unix-dev
mailing list