- djm@cvs.openbsd.org 2006/04/16 00:48:52

     [buffer.c buffer.h channels.c]
     Fix condition where we could exit with a fatal error when an input
     buffer became too large and the remote end had advertised a big window.
     The problem was a mismatch in the backoff math between the channels code
     and the buffer code, so make a buffer_check_alloc() function that the
     channels code can use to propsectivly check whether an incremental
     allocation will succeed.  bz #1131, debugged with the assistance of
     cove AT wildpackets.com; ok dtucker@ deraadt@

1 files changed, 3 insertions, 5 deletions

diff --git a/channels.c b/channels.c
index fccb9098e..2fa997edc 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.249 2006/03/30 09:41:25 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.250 2006/04/16 00:48:52 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -747,12 +747,10 @@ channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
         u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
-        /* check buffer limits */
-        limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
-
         if (c->istate == CHAN_INPUT_OPEN &&
             limit > 0 &&
-            buffer_len(&c->input) < limit)
+            buffer_len(&c->input) < limit &&
+            buffer_check_alloc(&c->input, CHAN_RBUF))
                 FD_SET(c->rfd, readset);
         if (c->ostate == CHAN_OUTPUT_OPEN ||
             c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {