diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2006-04-16 00:48:53 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2006-04-16 00:48:53 +0000 |
commit | cd2086131cfa7a617ead6b20e863c7ef00085e71 (patch) | |
tree | e482e62a03c5e1105047aa14f2c4470e832e50d3 /usr.bin/ssh | |
parent | 3cefa904cb30201736ca7b139bb5ec896e966c4f (diff) |
Fix condition where we could exit with a fatal error when an input
buffer became too large and the remote end had advertised a big window.
The problem was a mismatch in the backoff math between the channels code
and the buffer code, so make a buffer_check_alloc() function that the
channels code can use to propsectivly check whether an incremental
allocation will succeed. bz #1131, debugged with the assistance of
cove AT wildpackets.com; ok dtucker@ deraadt@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/buffer.c | 61 | ||||
-rw-r--r-- | usr.bin/ssh/buffer.h | 7 | ||||
-rw-r--r-- | usr.bin/ssh/channels.c | 8 |
3 files changed, 54 insertions, 22 deletions
diff --git a/usr.bin/ssh/buffer.c b/usr.bin/ssh/buffer.c index de404e60245..ba718daf221 100644 --- a/usr.bin/ssh/buffer.c +++ b/usr.bin/ssh/buffer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.c,v 1.26 2006/03/25 13:17:01 djm Exp $ */ +/* $OpenBSD: buffer.c,v 1.27 2006/04/16 00:48:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -18,6 +18,10 @@ #include "buffer.h" #include "log.h" +#define BUFFER_MAX_CHUNK 0x100000 +#define BUFFER_MAX_LEN 0xa00000 +#define BUFFER_ALLOCSZ 0x008000 + /* Initializes the buffer structure. */ void @@ -66,6 +70,23 @@ buffer_append(Buffer *buffer, const void *data, u_int len) memcpy(p, data, len); } +static int +buffer_compact(Buffer *buffer) +{ + /* + * If the buffer is quite empty, but all data is at the end, move the + * data to the beginning. + */ + if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) { + memmove(buffer->buf, buffer->buf + buffer->offset, + buffer->end - buffer->offset); + buffer->end -= buffer->offset; + buffer->offset = 0; + return (1); + } + return (0); +} + /* * Appends space to the buffer, expanding the buffer if necessary. This does * not actually copy the data into the buffer, but instead returns a pointer @@ -93,20 +114,13 @@ restart: buffer->end += len; return p; } - /* - * If the buffer is quite empty, but all data is at the end, move the - * data to the beginning and retry. - */ - if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) { - memmove(buffer->buf, buffer->buf + buffer->offset, - buffer->end - buffer->offset); - buffer->end -= buffer->offset; - buffer->offset = 0; + + /* Compact data back to the start of the buffer if necessary */ + if (buffer_compact(buffer)) goto restart; - } - /* Increase the size of the buffer and retry. */ - newlen = buffer->alloc + len + 32768; + /* Increase the size of the buffer and retry. */ + newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ); if (newlen > BUFFER_MAX_LEN) fatal("buffer_append_space: alloc %u not supported", newlen); @@ -116,6 +130,27 @@ restart: /* NOTREACHED */ } +/* + * Check whether an allocation of 'len' will fit in the buffer + * This must follow the same math as buffer_append_space + */ +int +buffer_check_alloc(Buffer *buffer, u_int len) +{ + if (buffer->offset == buffer->end) { + buffer->offset = 0; + buffer->end = 0; + } + restart: + if (buffer->end + len < buffer->alloc) + return (1); + if (buffer_compact(buffer)) + goto restart; + if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN) + return (1); + return (0); +} + /* Returns the number of bytes of data in the buffer. */ u_int diff --git a/usr.bin/ssh/buffer.h b/usr.bin/ssh/buffer.h index abdaea3493d..43414ae99e5 100644 --- a/usr.bin/ssh/buffer.h +++ b/usr.bin/ssh/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.14 2006/03/25 22:22:42 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.15 2006/04/16 00:48:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -23,9 +23,6 @@ typedef struct { u_int end; /* Offset of last byte containing data. */ } Buffer; -#define BUFFER_MAX_CHUNK 0x100000 -#define BUFFER_MAX_LEN 0xa00000 - void buffer_init(Buffer *); void buffer_clear(Buffer *); void buffer_free(Buffer *); @@ -36,6 +33,8 @@ void *buffer_ptr(Buffer *); void buffer_append(Buffer *, const void *, u_int); void *buffer_append_space(Buffer *, u_int); +int buffer_check_alloc(Buffer *, u_int); + void buffer_get(Buffer *, void *, u_int); void buffer_consume(Buffer *, u_int); diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 854bc2fd226..1d4a24a473f 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.249 2006/03/30 09:41:25 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.250 2006/04/16 00:48:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -746,12 +746,10 @@ channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) { u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); - /* check buffer limits */ - limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF)); - if (c->istate == CHAN_INPUT_OPEN && limit > 0 && - buffer_len(&c->input) < limit) + buffer_len(&c->input) < limit && + buffer_check_alloc(&c->input, CHAN_RBUF)) FD_SET(c->rfd, readset); if (c->ostate == CHAN_OUTPUT_OPEN || c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { |