From 11327cc5d7437b17f98580f1f173918873872c0d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 14 Mar 2005 23:22:25 +1100 Subject: [PATCH] - markus@cvs.openbsd.org 2005/03/14 11:46:56 [buffer.c buffer.h channels.c] limit input buffer size for channels; bugzilla #896; with and ok dtucker@ --- ChangeLog | 5 ++++- buffer.c | 8 ++++---- buffer.h | 5 ++++- channels.c | 11 ++++++++--- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index eceda670e..3504e5674 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ [auth.c] Populate host for log message for logins denied by AllowUsers and DenyUsers (bz #999); ok markus@ + - markus@cvs.openbsd.org 2005/03/14 11:46:56 + [buffer.c buffer.h channels.c] + limit input buffer size for channels; bugzilla #896; with and ok dtucker@ 20050313 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the @@ -2359,4 +2362,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3717 2005/03/14 12:17:27 dtucker Exp $ +$Id: ChangeLog,v 1.3718 2005/03/14 12:22:25 dtucker Exp $ diff --git a/buffer.c b/buffer.c index 1a25004ba..487e08105 100644 --- a/buffer.c +++ b/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -78,7 +78,7 @@ buffer_append_space(Buffer *buffer, u_int len) u_int newlen; void *p; - if (len > 0x100000) + if (len > BUFFER_MAX_CHUNK) fatal("buffer_append_space: len %u not supported", len); /* If the buffer is empty, start using it from the beginning. */ @@ -97,7 +97,7 @@ restart: * If the buffer is quite empty, but all data is at the end, move the * data to the beginning and retry. */ - if (buffer->offset > buffer->alloc / 2) { + if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) { memmove(buffer->buf, buffer->buf + buffer->offset, buffer->end - buffer->offset); buffer->end -= buffer->offset; @@ -107,7 +107,7 @@ restart: /* Increase the size of the buffer and retry. */ newlen = buffer->alloc + len + 32768; - if (newlen > 0xa00000) + if (newlen > BUFFER_MAX_LEN) fatal("buffer_append_space: alloc %u not supported", newlen); buffer->buf = xrealloc(buffer->buf, newlen); diff --git a/buffer.h b/buffer.h index 9c09d4f43..2b20eed52 100644 --- a/buffer.h +++ b/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */ +/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */ /* * Author: Tatu Ylonen @@ -23,6 +23,9 @@ typedef struct { u_int end; /* Offset of last byte containing data. */ } Buffer; +#define BUFFER_MAX_CHUNK 0x100000 +#define BUFFER_MAX_LEN 0xa00000 + void buffer_init(Buffer *); void buffer_clear(Buffer *); void buffer_free(Buffer *); diff --git a/channels.c b/channels.c index 4bd9af8e6..3f6db60c6 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $"); +RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -58,6 +58,8 @@ RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $"); /* -- channel core */ +#define CHAN_RBUF 16*1024 + /* * Pointer to an array containing all allocated channels. The array is * dynamically extended as needed. @@ -712,6 +714,9 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) { u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); + /* check buffer limits */ + limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF)); + if (c->istate == CHAN_INPUT_OPEN && limit > 0 && buffer_len(&c->input) < limit) @@ -1360,7 +1365,7 @@ channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) static int channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) { - char buf[16*1024]; + char buf[CHAN_RBUF]; int len; if (c->rfd != -1 && @@ -1454,7 +1459,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) static int channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) { - char buf[16*1024]; + char buf[CHAN_RBUF]; int len; /** XXX handle drain efd, too */