summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2005-03-14 23:22:25 +1100
committerDarren Tucker <dtucker@zip.com.au>2005-03-14 23:22:25 +1100
commit11327cc5d7437b17f98580f1f173918873872c0d (patch)
tree791c8e0394d790059863e63bd8c4d35d9f593fe1
parenta8f553df53bf116c16de409a0d6bc897d0a2f228 (diff)
- markus@cvs.openbsd.org 2005/03/14 11:46:56
[buffer.c buffer.h channels.c] limit input buffer size for channels; bugzilla #896; with and ok dtucker@
-rw-r--r--ChangeLog5
-rw-r--r--buffer.c8
-rw-r--r--buffer.h5
-rw-r--r--channels.c11
4 files changed, 20 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index eceda670e..3504e5674 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,9 @@
25 [auth.c] 25 [auth.c]
26 Populate host for log message for logins denied by AllowUsers and 26 Populate host for log message for logins denied by AllowUsers and
27 DenyUsers (bz #999); ok markus@ 27 DenyUsers (bz #999); ok markus@
28 - markus@cvs.openbsd.org 2005/03/14 11:46:56
29 [buffer.c buffer.h channels.c]
30 limit input buffer size for channels; bugzilla #896; with and ok dtucker@
28 31
2920050313 3220050313
30 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the 33 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
@@ -2359,4 +2362,4 @@
2359 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 2362 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
2360 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 2363 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
2361 2364
2362$Id: ChangeLog,v 1.3717 2005/03/14 12:17:27 dtucker Exp $ 2365$Id: ChangeLog,v 1.3718 2005/03/14 12:22:25 dtucker Exp $
diff --git a/buffer.c b/buffer.c
index 1a25004ba..487e08105 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $"); 15RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
16 16
17#include "xmalloc.h" 17#include "xmalloc.h"
18#include "buffer.h" 18#include "buffer.h"
@@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len)
78 u_int newlen; 78 u_int newlen;
79 void *p; 79 void *p;
80 80
81 if (len > 0x100000) 81 if (len > BUFFER_MAX_CHUNK)
82 fatal("buffer_append_space: len %u not supported", len); 82 fatal("buffer_append_space: len %u not supported", len);
83 83
84 /* If the buffer is empty, start using it from the beginning. */ 84 /* If the buffer is empty, start using it from the beginning. */
@@ -97,7 +97,7 @@ restart:
97 * If the buffer is quite empty, but all data is at the end, move the 97 * If the buffer is quite empty, but all data is at the end, move the
98 * data to the beginning and retry. 98 * data to the beginning and retry.
99 */ 99 */
100 if (buffer->offset > buffer->alloc / 2) { 100 if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
101 memmove(buffer->buf, buffer->buf + buffer->offset, 101 memmove(buffer->buf, buffer->buf + buffer->offset,
102 buffer->end - buffer->offset); 102 buffer->end - buffer->offset);
103 buffer->end -= buffer->offset; 103 buffer->end -= buffer->offset;
@@ -107,7 +107,7 @@ restart:
107 /* Increase the size of the buffer and retry. */ 107 /* Increase the size of the buffer and retry. */
108 108
109 newlen = buffer->alloc + len + 32768; 109 newlen = buffer->alloc + len + 32768;
110 if (newlen > 0xa00000) 110 if (newlen > BUFFER_MAX_LEN)
111 fatal("buffer_append_space: alloc %u not supported", 111 fatal("buffer_append_space: alloc %u not supported",
112 newlen); 112 newlen);
113 buffer->buf = xrealloc(buffer->buf, newlen); 113 buffer->buf = xrealloc(buffer->buf, newlen);
diff --git a/buffer.h b/buffer.h
index 9c09d4f43..2b20eed52 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */ 1/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,6 +23,9 @@ typedef struct {
23 u_int end; /* Offset of last byte containing data. */ 23 u_int end; /* Offset of last byte containing data. */
24} Buffer; 24} Buffer;
25 25
26#define BUFFER_MAX_CHUNK 0x100000
27#define BUFFER_MAX_LEN 0xa00000
28
26void buffer_init(Buffer *); 29void buffer_init(Buffer *);
27void buffer_clear(Buffer *); 30void buffer_clear(Buffer *);
28void buffer_free(Buffer *); 31void buffer_free(Buffer *);
diff --git a/channels.c b/channels.c
index 4bd9af8e6..3f6db60c6 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $"); 42RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
43 43
44#include "ssh.h" 44#include "ssh.h"
45#include "ssh1.h" 45#include "ssh1.h"
@@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $");
58 58
59/* -- channel core */ 59/* -- channel core */
60 60
61#define CHAN_RBUF 16*1024
62
61/* 63/*
62 * Pointer to an array containing all allocated channels. The array is 64 * Pointer to an array containing all allocated channels. The array is
63 * dynamically extended as needed. 65 * dynamically extended as needed.
@@ -712,6 +714,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
712{ 714{
713 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 715 u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
714 716
717 /* check buffer limits */
718 limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
719
715 if (c->istate == CHAN_INPUT_OPEN && 720 if (c->istate == CHAN_INPUT_OPEN &&
716 limit > 0 && 721 limit > 0 &&
717 buffer_len(&c->input) < limit) 722 buffer_len(&c->input) < limit)
@@ -1360,7 +1365,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
1360static int 1365static int
1361channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 1366channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
1362{ 1367{
1363 char buf[16*1024]; 1368 char buf[CHAN_RBUF];
1364 int len; 1369 int len;
1365 1370
1366 if (c->rfd != -1 && 1371 if (c->rfd != -1 &&
@@ -1454,7 +1459,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1454static int 1459static int
1455channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 1460channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
1456{ 1461{
1457 char buf[16*1024]; 1462 char buf[CHAN_RBUF];
1458 int len; 1463 int len;
1459 1464
1460/** XXX handle drain efd, too */ 1465/** XXX handle drain efd, too */