3 files changed, 36 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index d125c1ad4..2271b76ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,10 @@
   - markus@cvs.openbsd.org 2001/10/07 10:29:52
     [authfile.c]
     grammer; Matthew_Clarke@mindlink.bc.ca
+   - markus@cvs.openbsd.org 2001/10/07 17:49:40
+     [channels.c channels.h]
+     avoid possible FD_ISSET overflow for channels established
+     during channnel_after_select() (used for dynamic channels).
 20011007
 - (bal) ssh-copy-id corrected permissions for .ssh/ and authorized_keys.
@@ -6666,4 +6670,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1591 2001/10/10 05:03:36 djm Exp $
+$Id: ChangeLog,v 1.1592 2001/10/10 05:03:58 djm Exp $
diff --git a/channels.c b/channels.c
index 758ea506d..1ec6074b5 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.136 2001/10/04 15:05:40 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.137 2001/10/07 17:49:40 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -241,6 +241,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
        }
        /* Initialize and return new channel. */
        c = channels[found] = xmalloc(sizeof(Channel));
+        memset(c, 0, sizeof(Channel));
        buffer_init(&c->input);
        buffer_init(&c->output);
        buffer_init(&c->extended);
@@ -974,7 +975,7 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
        int have, ret;
        have = buffer_len(&c->input);
+        c->delayed = 0;
        debug2("channel %d: pre_dynamic: have %d", c->self, have);
        /* buffer_dump(&c->input); */
        /* check if the fixed size part of the packet is in buffer. */
@@ -1133,11 +1134,18 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
                    "to %.100s port %d requested.",
                    c->listening_port, c->path, c->host_port);
-                rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ?
+                if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
-                    "forwarded-tcpip" : "direct-tcpip";
+                        nextstate = SSH_CHANNEL_OPENING;
-                nextstate = (c->host_port == 0 &&
+                        rtype = "forwarded-tcpip";
-                    c->type != SSH_CHANNEL_RPORT_LISTENER) ?
+                } else {
-                    SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING;
+                        if (c->host_port == 0) {
+                                nextstate = SSH_CHANNEL_DYNAMIC;
+                                rtype = "direct-tcpip";
+                        } else {
+                                nextstate = SSH_CHANNEL_OPENING;
+                                rtype = "direct-tcpip";
+                        }
+                }
                addrlen = sizeof(addr);
                newsock = accept(c->sock, &addr, &addrlen);
@@ -1158,8 +1166,16 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
                nc->host_port = c->host_port;
                strlcpy(nc->path, c->path, sizeof(nc->path));
-                if (nextstate != SSH_CHANNEL_DYNAMIC)
+                if (nextstate == SSH_CHANNEL_DYNAMIC) {
+                        /*
+                         * do not call the channel_post handler until
+                         * this flag has been reset by a pre-handler.
+                         * otherwise the FD_ISSET calls might overflow
+                         */
+                        nc->delayed = 1;
+                } else {
                        port_open_helper(nc, rtype);
+                }
        }
 }
@@ -1409,6 +1425,8 @@ channel_check_window(Channel *c)
 static void
 channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
 {
+        if (c->delayed)
+                return;
        channel_handle_rfd(c, readset, writeset);
        channel_handle_wfd(c, readset, writeset);
 }
@@ -1416,6 +1434,8 @@ channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
 static void
 channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
 {
+        if (c->delayed)
+                return;
        channel_handle_rfd(c, readset, writeset);
        channel_handle_wfd(c, readset, writeset);
        channel_handle_efd(c, readset, writeset);
diff --git a/channels.h b/channels.h
index c6d1aabc7..49a9df9dd 100644
--- a/channels.h
+++ b/channels.h
@@ -32,7 +32,7 @@
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* RCSID("$OpenBSD: channels.h,v 1.47 2001/10/01 21:38:53 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.48 2001/10/07 17:49:40 markus Exp $"); */
 #ifndef CHANNEL_H
 #define CHANNEL_H
@@ -68,7 +68,6 @@ struct Channel {
        int     type;           /* channel type/state */
        int     self;           /* my own channel identifier */
        int     remote_id;      /* channel identifier for remote peer */
-        /* peer can be reached over encrypted connection, via packet-sent */
        int     istate;         /* input from channel (state of receive half) */
        int     ostate;         /* output to channel  (state of transmit half) */
        int     flags;          /* close sent/rcvd */
@@ -77,7 +76,8 @@ struct Channel {
        int     efd;            /* extended fd */
        int     sock;           /* sock fd */
        int     isatty;         /* rfd is a tty */
-        int     force_drain;            /* force close on iEOF */
+        int     force_drain;    /* force close on iEOF */
+        int     delayed;                /* fdset hack */
        Buffer  input;          /* data read from socket, to be sent over
                                 * encrypted connection */
        Buffer  output;         /* data received over encrypted connection for

diff --git a/ChangeLog b/ChangeLog index d125c1ad4..2271b76ff 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -21,6 +21,10 @@
21	- markus@cvs.openbsd.org 2001/10/07 10:29:52	21	- markus@cvs.openbsd.org 2001/10/07 10:29:52
22	[authfile.c]	22	[authfile.c]
23	grammer; Matthew_Clarke@mindlink.bc.ca	23	grammer; Matthew_Clarke@mindlink.bc.ca
		24	- markus@cvs.openbsd.org 2001/10/07 17:49:40
		25	[channels.c channels.h]
		26	avoid possible FD_ISSET overflow for channels established
		27	during channnel_after_select() (used for dynamic channels).
24		28
25	20011007	29	20011007
26	- (bal) ssh-copy-id corrected permissions for .ssh/ and authorized_keys.	30	- (bal) ssh-copy-id corrected permissions for .ssh/ and authorized_keys.
@@ -6666,4 +6670,4 @@
6666	- Wrote replacements for strlcpy and mkdtemp	6670	- Wrote replacements for strlcpy and mkdtemp
6667	- Released 1.0pre1	6671	- Released 1.0pre1
6668		6672
6669	$Id: ChangeLog,v 1.1591 2001/10/10 05:03:36 djm Exp $	6673	$Id: ChangeLog,v 1.1592 2001/10/10 05:03:58 djm Exp $


diff --git a/channels.c b/channels.c index 758ea506d..1ec6074b5 100644 --- a/channels.c +++ b/channels.c
@@ -39,7 +39,7 @@
39	*/	39	*/
40		40
41	#include "includes.h"	41	#include "includes.h"
42	RCSID("$OpenBSD: channels.c,v 1.136 2001/10/04 15:05:40 markus Exp $");	42	RCSID("$OpenBSD: channels.c,v 1.137 2001/10/07 17:49:40 markus Exp $");
43		43
44	#include "ssh.h"	44	#include "ssh.h"
45	#include "ssh1.h"	45	#include "ssh1.h"
@@ -241,6 +241,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
241	}	241	}
242	/* Initialize and return new channel. */	242	/* Initialize and return new channel. */
243	c = channels[found] = xmalloc(sizeof(Channel));	243	c = channels[found] = xmalloc(sizeof(Channel));
		244	memset(c, 0, sizeof(Channel));
244	buffer_init(&c->input);	245	buffer_init(&c->input);
245	buffer_init(&c->output);	246	buffer_init(&c->output);
246	buffer_init(&c->extended);	247	buffer_init(&c->extended);
@@ -974,7 +975,7 @@ channel_pre_dynamic(Channel c, fd_set readset, fd_set * writeset)
974	int have, ret;	975	int have, ret;
975		976
976	have = buffer_len(&c->input);	977	have = buffer_len(&c->input);
977		978	c->delayed = 0;
978	debug2("channel %d: pre_dynamic: have %d", c->self, have);	979	debug2("channel %d: pre_dynamic: have %d", c->self, have);
979	/* buffer_dump(&c->input); */	980	/* buffer_dump(&c->input); */
980	/* check if the fixed size part of the packet is in buffer. */	981	/* check if the fixed size part of the packet is in buffer. */
@@ -1133,11 +1134,18 @@ channel_post_port_listener(Channel c, fd_set readset, fd_set * writeset)
1133	"to %.100s port %d requested.",	1134	"to %.100s port %d requested.",
1134	c->listening_port, c->path, c->host_port);	1135	c->listening_port, c->path, c->host_port);
1135		1136
1136	rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ?	1137	if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1137	"forwarded-tcpip" : "direct-tcpip";	1138	nextstate = SSH_CHANNEL_OPENING;
1138	nextstate = (c->host_port == 0 &&	1139	rtype = "forwarded-tcpip";
1139	c->type != SSH_CHANNEL_RPORT_LISTENER) ?	1140	} else {
1140	SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING;	1141	if (c->host_port == 0) {
		1142	nextstate = SSH_CHANNEL_DYNAMIC;
		1143	rtype = "direct-tcpip";
		1144	} else {
		1145	nextstate = SSH_CHANNEL_OPENING;
		1146	rtype = "direct-tcpip";
		1147	}
		1148	}
1141		1149
1142	addrlen = sizeof(addr);	1150	addrlen = sizeof(addr);
1143	newsock = accept(c->sock, &addr, &addrlen);	1151	newsock = accept(c->sock, &addr, &addrlen);
@@ -1158,8 +1166,16 @@ channel_post_port_listener(Channel c, fd_set readset, fd_set * writeset)
1158	nc->host_port = c->host_port;	1166	nc->host_port = c->host_port;
1159	strlcpy(nc->path, c->path, sizeof(nc->path));	1167	strlcpy(nc->path, c->path, sizeof(nc->path));
1160		1168
1161	if (nextstate != SSH_CHANNEL_DYNAMIC)	1169	if (nextstate == SSH_CHANNEL_DYNAMIC) {
		1170	/*
		1171	* do not call the channel_post handler until
		1172	* this flag has been reset by a pre-handler.
		1173	* otherwise the FD_ISSET calls might overflow
		1174	*/
		1175	nc->delayed = 1;
		1176	} else {
1162	port_open_helper(nc, rtype);	1177	port_open_helper(nc, rtype);
		1178	}
1163	}	1179	}
1164	}	1180	}
1165		1181
@@ -1409,6 +1425,8 @@ channel_check_window(Channel *c)
1409	static void	1425	static void
1410	channel_post_open_1(Channel c, fd_set readset, fd_set * writeset)	1426	channel_post_open_1(Channel c, fd_set readset, fd_set * writeset)
1411	{	1427	{
		1428	if (c->delayed)
		1429	return;
1412	channel_handle_rfd(c, readset, writeset);	1430	channel_handle_rfd(c, readset, writeset);
1413	channel_handle_wfd(c, readset, writeset);	1431	channel_handle_wfd(c, readset, writeset);
1414	}	1432	}
@@ -1416,6 +1434,8 @@ channel_post_open_1(Channel c, fd_set readset, fd_set * writeset)
1416	static void	1434	static void
1417	channel_post_open_2(Channel c, fd_set readset, fd_set * writeset)	1435	channel_post_open_2(Channel c, fd_set readset, fd_set * writeset)
1418	{	1436	{
		1437	if (c->delayed)
		1438	return;
1419	channel_handle_rfd(c, readset, writeset);	1439	channel_handle_rfd(c, readset, writeset);
1420	channel_handle_wfd(c, readset, writeset);	1440	channel_handle_wfd(c, readset, writeset);
1421	channel_handle_efd(c, readset, writeset);	1441	channel_handle_efd(c, readset, writeset);


diff --git a/channels.h b/channels.h index c6d1aabc7..49a9df9dd 100644 --- a/channels.h +++ b/channels.h
@@ -32,7 +32,7 @@
32	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	32	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
33	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	33	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34	*/	34	*/
35	/* RCSID("$OpenBSD: channels.h,v 1.47 2001/10/01 21:38:53 markus Exp $"); */	35	/* RCSID("$OpenBSD: channels.h,v 1.48 2001/10/07 17:49:40 markus Exp $"); */
36		36
37	#ifndef CHANNEL_H	37	#ifndef CHANNEL_H
38	#define CHANNEL_H	38	#define CHANNEL_H
@@ -68,7 +68,6 @@ struct Channel {
68	int type; /* channel type/state */	68	int type; /* channel type/state */
69	int self; /* my own channel identifier */	69	int self; /* my own channel identifier */
70	int remote_id; /* channel identifier for remote peer */	70	int remote_id; /* channel identifier for remote peer */
71	/* peer can be reached over encrypted connection, via packet-sent */
72	int istate; /* input from channel (state of receive half) */	71	int istate; /* input from channel (state of receive half) */
73	int ostate; /* output to channel (state of transmit half) */	72	int ostate; /* output to channel (state of transmit half) */
74	int flags; /* close sent/rcvd */	73	int flags; /* close sent/rcvd */
@@ -77,7 +76,8 @@ struct Channel {
77	int efd; /* extended fd */	76	int efd; /* extended fd */
78	int sock; /* sock fd */	77	int sock; /* sock fd */
79	int isatty; /* rfd is a tty */	78	int isatty; /* rfd is a tty */
80	int force_drain; /* force close on iEOF */	79	int force_drain; /* force close on iEOF */
		80	int delayed; /* fdset hack */
81	Buffer input; /* data read from socket, to be sent over	81	Buffer input; /* data read from socket, to be sent over
82	* encrypted connection */	82	* encrypted connection */
83	Buffer output; /* data received over encrypted connection for	83	Buffer output; /* data received over encrypted connection for