From 0d5c86f0b878c1a172e54fad1961e802bee99f09 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 27 Nov 2019 05:38:44 +0000 Subject: Revert previous commit. The channels code still uses int in many places for channel ids so the INT_MAX check still makes sense. --- usr.bin/ssh/serverloop.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 1e558c651a8..956083b2337 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.217 2019/11/27 03:34:04 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.218 2019/11/27 05:38:43 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -665,7 +665,7 @@ server_input_channel_open(int type, u_int32_t seq, struct ssh *ssh) char *ctype = NULL; const char *errmsg = NULL; int r, reason = SSH2_OPEN_CONNECT_FAILED; - u_int32_t rchan = 0, rmaxpack = 0, rwindow = 0; + u_int rchan = 0, rmaxpack = 0, rwindow = 0; if ((r = sshpkt_get_cstring(ssh, &ctype, NULL)) != 0 || (r = sshpkt_get_u32(ssh, &rchan)) != 0 || @@ -673,9 +673,11 @@ server_input_channel_open(int type, u_int32_t seq, struct ssh *ssh) (r = sshpkt_get_u32(ssh, &rmaxpack)) != 0) sshpkt_fatal(ssh, r, "%s: parse packet", __func__); debug("%s: ctype %s rchan %u win %u max %u", __func__, - ctype, (u_int)rchan, (u_int)rwindow, (u_int)rmaxpack); + ctype, rchan, rwindow, rmaxpack); - if (strcmp(ctype, "session") == 0) { + if (rchan > INT_MAX) { + error("%s: invalid remote channel ID", __func__); + } else if (strcmp(ctype, "session") == 0) { c = server_request_session(ssh); } else if (strcmp(ctype, "direct-tcpip") == 0) { c = server_request_direct_tcpip(ssh, &reason, &errmsg); @@ -686,7 +688,7 @@ server_input_channel_open(int type, u_int32_t seq, struct ssh *ssh) } if (c != NULL) { debug("%s: confirm %s", __func__, ctype); - c->remote_id = rchan; + c->remote_id = (int)rchan; c->have_remote_id = 1; c->remote_window = rwindow; c->remote_maxpacket = rmaxpack; -- cgit v1.2.3