- markus@cvs.openbsd.org 2009/11/11 21:37:03

[channels.c channels.h] fix race condition in x11/agent channel allocation: don't read after the end of the select read/write fdset and make sure a reused FD is not touched before the pre-handlers are called. with and ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2010-01-08 17:08:00 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2010-01-08 17:08:00 +1100
commit: 876045b0fb273ee11b02c535833b076c875253dc (patch)
tree: 372ba1e8310e20e1874a5aac76ed3a7194aec9cb /channels.c
parent: 6e7fe1c01b8a69099ffc42e653cc478509e84781 (diff)
1 files changed, 11 insertions, 15 deletions
diff --git a/channels.c b/channels.c
index eb0c61d8b..949392390 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.298 2009/11/10 04:30:44 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.299 2009/11/11 21:37:03 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -331,6 +331,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
        c->output_filter = NULL;
        c->filter_ctx = NULL;
        c->filter_cleanup = NULL;
+        c->delayed = 1;         /* prevent call to channel_post handler */
        TAILQ_INIT(&c->status_confirms);
        debug("channel %d: new [%s]", found, remote_name);
        return c;
@@ -1228,7 +1229,6 @@ channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset)
        int ret;
        have = buffer_len(&c->input);
-        c->delayed = 0;
        debug2("channel %d: pre_dynamic: have %d", c->self, have);
        /* buffer_dump(&c->input); */
        /* check if the fixed size part of the packet is in buffer. */
@@ -1432,16 +1432,8 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
                if (c->path != NULL)
                        nc->path = xstrdup(c->path);
-                if (nextstate == SSH_CHANNEL_DYNAMIC) {
+                if (nextstate != SSH_CHANNEL_DYNAMIC)
-                        /*
-                         * do not call the channel_post handler until
-                         * this flag has been reset by a pre-handler.
-                         * otherwise the FD_ISSET calls might overflow
-                         */
-                        nc->delayed = 1;
-                } else {
                        port_open_helper(nc, rtype);
-                }
        }
 }
@@ -1786,8 +1778,6 @@ channel_check_window(Channel *c)
 static void
 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
-        if (c->delayed)
-                return;
        channel_handle_rfd(c, readset, writeset);
        channel_handle_wfd(c, readset, writeset);
        if (!compat20)
@@ -1919,17 +1909,23 @@ static void
 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
 {
        static int did_init = 0;
-        u_int i;
+        u_int i, oalloc;
        Channel *c;
        if (!did_init) {
                channel_handler_init();
                did_init = 1;
        }
-        for (i = 0; i < channels_alloc; i++) {
+        for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
                c = channels[i];
                if (c == NULL)
                        continue;
+                if (c->delayed) {
+                        if (ftab == channel_pre)
+                                c->delayed = 0;
+                        else
+                                continue;
+                }
                if (ftab[c->type] != NULL)
                        (*ftab[c->type])(c, readset, writeset);
                channel_garbage_collect(c);
author	Darren Tucker <dtucker@zip.com.au>	2010-01-08 17:08:00 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2010-01-08 17:08:00 +1100
commit	876045b0fb273ee11b02c535833b076c875253dc (patch)
tree	372ba1e8310e20e1874a5aac76ed3a7194aec9cb /channels.c
parent	6e7fe1c01b8a69099ffc42e653cc478509e84781 (diff)