diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2005-03-14 11:46:57 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2005-03-14 11:46:57 +0000 |
| commit | cfd931622f0e30d11d731bf621aef06c3cc42dca (patch) | |
| tree | fc340cb642670505958faa3f76d3378d7077a93b /usr.bin/ssh | |
| parent | 3d2a2ca4ee3d89509cc28b5b6bfc1cfcd1004bb5 (diff) | |
limit input buffer size for channels; bugzilla #896; with and ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/buffer.c | 8 | ||||
| -rw-r--r-- | usr.bin/ssh/buffer.h | 5 | ||||
| -rw-r--r-- | usr.bin/ssh/channels.c | 11 |
3 files changed, 16 insertions, 8 deletions
diff --git a/usr.bin/ssh/buffer.c b/usr.bin/ssh/buffer.c index 1a25004ba2b..487e0810598 100644 --- a/usr.bin/ssh/buffer.c +++ b/usr.bin/ssh/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len) u_int newlen; void *p; - if (len > 0x100000) + if (len > BUFFER_MAX_CHUNK) fatal("buffer_append_space: len %u not supported", len); /* If the buffer is empty, start using it from the beginning. */ @@ -97,7 +97,7 @@ restart: * If the buffer is quite empty, but all data is at the end, move the * data to the beginning and retry. */ - if (buffer->offset > buffer->alloc / 2) { + if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) { memmove(buffer->buf, buffer->buf + buffer->offset, buffer->end - buffer->offset); buffer->end -= buffer->offset; @@ -107,7 +107,7 @@ restart: /* Increase the size of the buffer and retry. */ newlen = buffer->alloc + len + 32768; - if (newlen > 0xa00000) + if (newlen > BUFFER_MAX_LEN) fatal("buffer_append_space: alloc %u not supported", newlen); buffer->buf = xrealloc(buffer->buf, newlen); diff --git a/usr.bin/ssh/buffer.h b/usr.bin/ssh/buffer.h index 9c09d4f43f7..2b20eed52ac 100644 --- a/usr.bin/ssh/buffer.h +++ b/usr.bin/ssh/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -23,6 +23,9 @@ typedef struct { u_int end; /* Offset of last byte containing data. */ } Buffer; +#define BUFFER_MAX_CHUNK 0x100000 +#define BUFFER_MAX_LEN 0xa00000 + void buffer_init(Buffer *); void buffer_clear(Buffer *); void buffer_free(Buffer *); diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 54b951e0d9d..b387cddc731 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $"); +RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $"); /* -- channel core */ +#define CHAN_RBUF 16*1024 + /* * Pointer to an array containing all allocated channels. The array is * dynamically extended as needed. @@ -711,6 +713,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) { u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); + /* check buffer limits */ + limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF)); + if (c->istate == CHAN_INPUT_OPEN && limit > 0 && buffer_len(&c->input) < limit) @@ -1359,7 +1364,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) static int channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) { - char buf[16*1024]; + char buf[CHAN_RBUF]; int len; if (c->rfd != -1 && @@ -1448,7 +1453,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) static int channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) { - char buf[16*1024]; + char buf[CHAN_RBUF]; int len; /** XXX handle drain efd, too */ |