Fix proxy multiplexing (-O proxy) bug

If a mux started with ControlPersist then later has a forwarding added using
mux proxy connection and the forwarding was used, then when the mux proxy
session terminates, the mux master process will send a channel close to the
server with a bad channel ID and crash the connection.

This was caused by my stupidly reusing c->remote_id for mux channel
associations when I should have just added another member to struct channel.

ok markus@

1 files changed, 4 insertions, 2 deletions

diff --git a/usr.bin/ssh/nchan.c b/usr.bin/ssh/nchan.c
index 8757cd9290d..63cecbb7442 100644
--- a/usr.bin/ssh/nchan.c
+++ b/usr.bin/ssh/nchan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nchan.c,v 1.75 2024/02/01 02:37:33 djm Exp $ */
+/* $OpenBSD: nchan.c,v 1.76 2024/07/25 22:40:08 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -206,7 +206,7 @@ chan_send_close2(struct ssh *ssh, Channel *c)
 {
 	int r;
 
-	debug2("channel %d: send close", c->self);
+	debug2("channel %d: send_close2", c->self);
 	if (c->ostate != CHAN_OUTPUT_CLOSED ||
 	    c->istate != CHAN_INPUT_CLOSED) {
 		error("channel %d: cannot send close for istate/ostate %d/%d",
@@ -216,6 +216,8 @@ chan_send_close2(struct ssh *ssh, Channel *c)
 	} else {
 		if (!c->have_remote_id)
 			fatal_f("channel %d: no remote_id", c->self);
+		debug2("channel %d: send close for remote id %u", c->self,
+		    c->remote_id);
 		if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_CLOSE)) != 0 ||
 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 		    (r = sshpkt_send(ssh)) != 0)