diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2018-05-11 03:38:52 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2018-05-11 03:38:52 +0000 |
commit | e7d95152ba0c01db32dbab9938d03bbd7b590d76 (patch) | |
tree | ed152797f20f0e4ef5628bb8e2c1f0915fcdc4a3 | |
parent | 254d8cd39b379b183be33914eb0cc1b9d517e340 (diff) |
implement EMFILE mitigation for ssh-agent: remember the fd rlimit
and stop accepting new connections when it is exceeded (with some
grace). Accept is resumed when enough connections are closed.
bz#2576. feedback deraadt; ok dtucker@
-rw-r--r-- | usr.bin/ssh/ssh-agent.c | 60 |
1 files changed, 49 insertions, 11 deletions
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index ffcdb8cd427..a25048f6b5a 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.230 2018/04/10 00:10:49 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.231 2018/05/11 03:38:51 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -871,10 +871,10 @@ handle_conn_write(u_int socknum) } static void -after_poll(struct pollfd *pfd, size_t npfd) +after_poll(struct pollfd *pfd, size_t npfd, u_int maxfds) { size_t i; - u_int socknum; + u_int socknum, activefds = npfd; for (i = 0; i < npfd; i++) { if (pfd[i].revents == 0) @@ -894,18 +894,30 @@ after_poll(struct pollfd *pfd, size_t npfd) /* Process events */ switch (sockets[socknum].type) { case AUTH_SOCKET: - if ((pfd[i].revents & (POLLIN|POLLERR)) != 0) - handle_socket_read(socknum); + if ((pfd[i].revents & (POLLIN|POLLERR)) == 0) + break; + if (npfd > maxfds) { + debug3("out of fds (active %u >= limit %u); " + "skipping accept", activefds, maxfds); + break; + } + if (handle_socket_read(socknum) == 0) + activefds++; break; case AUTH_CONNECTION: if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && handle_conn_read(socknum) != 0) { - close_socket(&sockets[socknum]); - break; + goto close_sock; } if ((pfd[i].revents & (POLLOUT|POLLHUP)) != 0 && - handle_conn_write(socknum) != 0) + handle_conn_write(socknum) != 0) { + close_sock: + if (activefds == 0) + fatal("activefds == 0 at close_sock"); close_socket(&sockets[socknum]); + activefds--; + break; + } break; default: break; @@ -914,7 +926,7 @@ after_poll(struct pollfd *pfd, size_t npfd) } static int -prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp) +prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp, u_int maxfds) { struct pollfd *pfd = *pfdp; size_t i, j, npfd = 0; @@ -943,6 +955,16 @@ prepare_poll(struct pollfd **pfdp, size_t *npfdp, int *timeoutp) for (i = j = 0; i < sockets_alloc; i++) { switch (sockets[i].type) { case AUTH_SOCKET: + if (npfd > maxfds) { + debug3("out of fds (active %zu >= limit %u); " + "skipping arming listener", npfd, maxfds); + break; + } + pfd[j].fd = sockets[i].fd; + pfd[j].revents = 0; + pfd[j].events = POLLIN; + j++; + break; case AUTH_CONNECTION: pfd[j].fd = sockets[i].fd; pfd[j].revents = 0; @@ -1041,6 +1063,7 @@ main(int ac, char **av) int timeout = -1; /* INFTIM */ struct pollfd *pfd = NULL; size_t npfd = 0; + u_int maxfds; ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ @@ -1050,6 +1073,9 @@ main(int ac, char **av) setegid(getgid()); setgid(getgid()); + if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) + fatal("%s: getrlimit: %s", __progname, strerror(errno)); + #ifdef WITH_OPENSSL OpenSSL_add_all_algorithms(); #endif @@ -1143,6 +1169,18 @@ main(int ac, char **av) printf("echo Agent pid %ld killed;\n", (long)pid); exit(0); } + + /* + * Minimum file descriptors: + * stdio (3) + listener (1) + syslog (1 maybe) + connection (1) + + * a few spare for libc / stack protectors / sanitisers, etc. + */ +#define SSH_AGENT_MIN_FDS (3+1+1+1+4) + if (rlim.rlim_cur < SSH_AGENT_MIN_FDS) + fatal("%s: file descriptior rlimit %lld too low (minimum %u)", + __progname, (long long)rlim.rlim_cur, SSH_AGENT_MIN_FDS); + maxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS; + parent_pid = getpid(); if (agentsocket == NULL) { @@ -1259,7 +1297,7 @@ skip: fatal("%s: pledge: %s", __progname, strerror(errno)); while (1) { - prepare_poll(&pfd, &npfd, &timeout); + prepare_poll(&pfd, &npfd, &timeout, maxfds); result = poll(pfd, npfd, timeout); saved_errno = errno; if (parent_alive_interval != 0) @@ -1270,7 +1308,7 @@ skip: continue; fatal("poll: %s", strerror(saved_errno)); } else if (result > 0) - after_poll(pfd, npfd); + after_poll(pfd, npfd, maxfds); } /* NOTREACHED */ } |