summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2018-05-11 03:38:52 +0000
committerDamien Miller <djm@cvs.openbsd.org>2018-05-11 03:38:52 +0000
commite7d95152ba0c01db32dbab9938d03bbd7b590d76 (patch)
treeed152797f20f0e4ef5628bb8e2c1f0915fcdc4a3
parent254d8cd39b379b183be33914eb0cc1b9d517e340 (diff)
implement EMFILE mitigation for ssh-agent: remember the fd rlimit
and stop accepting new connections when it is exceeded (with some grace). Accept is resumed when enough connections are closed. bz#2576. feedback deraadt; ok dtucker@
-rw-r--r--usr.bin/ssh/ssh-agent.c60
1 files changed, 49 insertions, 11 deletions
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index ffcdb8cd427..a25048f6b5a 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.230 2018/04/10 00:10:49 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.231 2018/05/11 03:38:51 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -871,10 +871,10 @@ handle_conn_write(u_int socknum)
}
static void
-after_poll(struct pollfd *pfd, size_t npfd)
+after_poll(struct pollfd *pfd, size_t npfd, u_int maxfds)
{
size_t i;
- u_int socknum;
+ u_int socknum, activefds = npfd;
for (i = 0; i < npfd; i++) {
if (pfd[i].revents == 0)
@@ -894,18 +894,30 @@ after_poll(struct pollfd *pfd, size_t npfd)
/* Process events */
switch (sockets[socknum].type) {
case AUTH_SOCKET:
- if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
- handle_socket_read(socknum);
+ if ((pfd[i].revents & (POLLIN|POLLERR)) == 0)
+ break;
+ if (npfd > maxfds) {
+ debug3("out of fds (active %u >= limit %u); "
+ "skipping accept", activefds, maxfds);
+ break;
+ }
+ if (handle_socket_read(socknum) == 0)
+ activefds++;
break;
case AUTH_CONNECTION:
if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
handle_conn_read(socknum) != 0) {
- close_socket(&sockets[socknum]);
- break;
+ goto close_sock;
}
if ((pfd[i].revents & (POLLOUT|POLLHUP)) != 0 &&
- handle_conn_write(socknum) != 0)
+ handle_conn_write(socknum) != 0) {
+ close_sock:
+ if (activefds == 0)
+ fatal("activefds == 0 at close_sock");
close_socket(&sockets[socknum]);
+ activefds--;
+ break;
+ }
break;
default:
break;
@@ -914,7 +926,7 @@ after_poll(struct pollfd *pfd, size_t npfd)
}
static int
-prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp)
+prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds)
{
struct pollfd *pfd = *pfdp;
size_t i, j, npfd = 0;
@@ -943,6 +955,16 @@ prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp)
for (i = j = 0; i < sockets_alloc; i++) {
switch (sockets[i].type) {
case AUTH_SOCKET:
+ if (npfd > maxfds) {
+ debug3("out of fds (active %zu >= limit %u); "
+ "skipping arming listener", npfd, maxfds);
+ break;
+ }
+ pfd[j].fd = sockets[i].fd;
+ pfd[j].revents = 0;
+ pfd[j].events = POLLIN;
+ j++;
+ break;
case AUTH_CONNECTION:
pfd[j].fd = sockets[i].fd;
pfd[j].revents = 0;
@@ -1041,6 +1063,7 @@ main(int ac, char **av)
int timeout = -1; /* INFTIM */
struct pollfd *pfd = NULL;
size_t npfd = 0;
+ u_int maxfds;
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1050,6 +1073,9 @@ main(int ac, char **av)
setegid(getgid());
setgid(getgid());
+ if (getrlimit(RLIMIT_NOFILE, &rlim) == -1)
+ fatal("%s: getrlimit: %s", __progname, strerror(errno));
+
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
@@ -1143,6 +1169,18 @@ main(int ac, char **av)
printf("echo Agent pid %ld killed;\n", (long)pid);
exit(0);
}
+
+ /*
+ * Minimum file descriptors:
+ * stdio (3) + listener (1) + syslog (1 maybe) + connection (1) +
+ * a few spare for libc / stack protectors / sanitisers, etc.
+ */
+#define SSH_AGENT_MIN_FDS (3+1+1+1+4)
+ if (rlim.rlim_cur < SSH_AGENT_MIN_FDS)
+ fatal("%s: file descriptior rlimit %lld too low (minimum %u)",
+ __progname, (long long)rlim.rlim_cur, SSH_AGENT_MIN_FDS);
+ maxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS;
+
parent_pid = getpid();
if (agentsocket == NULL) {
@@ -1259,7 +1297,7 @@ skip:
fatal("%s: pledge: %s", __progname, strerror(errno));
while (1) {
- prepare_poll(&pfd, &npfd, &timeout);
+ prepare_poll(&pfd, &npfd, &timeout, maxfds);
result = poll(pfd, npfd, timeout);
saved_errno = errno;
if (parent_alive_interval != 0)
@@ -1270,7 +1308,7 @@ skip:
continue;
fatal("poll: %s", strerror(saved_errno));
} else if (result > 0)
- after_poll(pfd, npfd);
+ after_poll(pfd, npfd, maxfds);
}
/* NOTREACHED */
}