- markus@cvs.openbsd.org 2005/03/14 11:46:56

[buffer.c buffer.h channels.c] limit input buffer size for channels; bugzilla #896; with and ok dtucker@
author: Darren Tucker <dtucker@zip.com.au> 2005-03-14 23:22:25 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-03-14 23:22:25 +1100
commit: 11327cc5d7437b17f98580f1f173918873872c0d (patch)
tree: 791c8e0394d790059863e63bd8c4d35d9f593fe1
parent: a8f553df53bf116c16de409a0d6bc897d0a2f228 (diff)
4 files changed, 20 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index eceda670e..3504e5674 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,9 @@
     [auth.c]
     Populate host for log message for logins denied by AllowUsers and
     DenyUsers (bz #999); ok markus@
+   - markus@cvs.openbsd.org 2005/03/14 11:46:56
+     [buffer.c buffer.h channels.c]
+     limit input buffer size for channels; bugzilla #896; with and ok dtucker@
 20050313
 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
@@ -2359,4 +2362,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3717 2005/03/14 12:17:27 dtucker Exp $
+$Id: ChangeLog,v 1.3718 2005/03/14 12:22:25 dtucker Exp $
diff --git a/buffer.c b/buffer.c
index 1a25004ba..487e08105 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $");
+RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
 #include "xmalloc.h"
 #include "buffer.h"
@@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len)
        u_int newlen;
        void *p;
-        if (len > 0x100000)
+        if (len > BUFFER_MAX_CHUNK)
                fatal("buffer_append_space: len %u not supported", len);
        /* If the buffer is empty, start using it from the beginning. */
@@ -97,7 +97,7 @@ restart:
         * If the buffer is quite empty, but all data is at the end, move the
         * data to the beginning and retry.
         */
-        if (buffer->offset > buffer->alloc / 2) {
+        if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
                memmove(buffer->buf, buffer->buf + buffer->offset,
                        buffer->end - buffer->offset);
                buffer->end -= buffer->offset;
@@ -107,7 +107,7 @@ restart:
        /* Increase the size of the buffer and retry. */
        newlen = buffer->alloc + len + 32768;
-        if (newlen > 0xa00000)
+        if (newlen > BUFFER_MAX_LEN)
                fatal("buffer_append_space: alloc %u not supported",
                    newlen);
        buffer->buf = xrealloc(buffer->buf, newlen);
diff --git a/buffer.h b/buffer.h
index 9c09d4f43..2b20eed52 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */
+/*      $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $      */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,6 +23,9 @@ typedef struct {
        u_int    end;           /* Offset of last byte containing data. */
 }       Buffer;
+#define BUFFER_MAX_CHUNK        0x100000
+#define BUFFER_MAX_LEN          0xa00000
 void     buffer_init(Buffer *);
 void     buffer_clear(Buffer *);
 void     buffer_free(Buffer *);
diff --git a/channels.c b/channels.c
index 4bd9af8e6..3f6db60c6 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $");
 /* -- channel core */
+#define CHAN_RBUF       16*1024
 /*
 * Pointer to an array containing all allocated channels.  The array is
 * dynamically extended as needed.
@@ -712,6 +714,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
 {
        u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+        /* check buffer limits */
+        limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
        if (c->istate == CHAN_INPUT_OPEN &&
            limit > 0 &&
            buffer_len(&c->input) < limit)
@@ -1360,7 +1365,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
 static int
 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
 {
-        char buf[16*1024];
+        char buf[CHAN_RBUF];
        int len;
        if (c->rfd != -1 &&
@@ -1454,7 +1459,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
 static int
 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
 {
-        char buf[16*1024];
+        char buf[CHAN_RBUF];
        int len;
 /** XXX handle drain efd, too */
author	Darren Tucker <dtucker@zip.com.au>	2005-03-14 23:22:25 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-03-14 23:22:25 +1100
commit	11327cc5d7437b17f98580f1f173918873872c0d (patch)
tree	791c8e0394d790059863e63bd8c4d35d9f593fe1
parent	a8f553df53bf116c16de409a0d6bc897d0a2f228 (diff)