- markus@cvs.openbsd.org 2005/03/14 11:46:56
[buffer.c buffer.h channels.c]
limit input buffer size for channels; bugzilla #896; with and ok dtucker@
diff --git a/ChangeLog b/ChangeLog
index eceda67..3504e56 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,9 @@
[auth.c]
Populate host for log message for logins denied by AllowUsers and
DenyUsers (bz #999); ok markus@
+ - markus@cvs.openbsd.org 2005/03/14 11:46:56
+ [buffer.c buffer.h channels.c]
+ limit input buffer size for channels; bugzilla #896; with and ok dtucker@
20050313
- (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
@@ -2359,4 +2362,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3717 2005/03/14 12:17:27 dtucker Exp $
+$Id: ChangeLog,v 1.3718 2005/03/14 12:22:25 dtucker Exp $
diff --git a/buffer.c b/buffer.c
index 1a25004..487e081 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.22 2004/10/29 23:56:17 djm Exp $");
+RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
#include "xmalloc.h"
#include "buffer.h"
@@ -78,7 +78,7 @@
u_int newlen;
void *p;
- if (len > 0x100000)
+ if (len > BUFFER_MAX_CHUNK)
fatal("buffer_append_space: len %u not supported", len);
/* If the buffer is empty, start using it from the beginning. */
@@ -97,7 +97,7 @@
* If the buffer is quite empty, but all data is at the end, move the
* data to the beginning and retry.
*/
- if (buffer->offset > buffer->alloc / 2) {
+ if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
memmove(buffer->buf, buffer->buf + buffer->offset,
buffer->end - buffer->offset);
buffer->end -= buffer->offset;
@@ -107,7 +107,7 @@
/* Increase the size of the buffer and retry. */
newlen = buffer->alloc + len + 32768;
- if (newlen > 0xa00000)
+ if (newlen > BUFFER_MAX_LEN)
fatal("buffer_append_space: alloc %u not supported",
newlen);
buffer->buf = xrealloc(buffer->buf, newlen);
diff --git a/buffer.h b/buffer.h
index 9c09d4f..2b20eed 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: buffer.h,v 1.12 2004/10/29 23:56:17 djm Exp $ */
+/* $OpenBSD: buffer.h,v 1.13 2005/03/14 11:46:56 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -23,6 +23,9 @@
u_int end; /* Offset of last byte containing data. */
} Buffer;
+#define BUFFER_MAX_CHUNK 0x100000
+#define BUFFER_MAX_LEN 0xa00000
+
void buffer_init(Buffer *);
void buffer_clear(Buffer *);
void buffer_free(Buffer *);
diff --git a/channels.c b/channels.c
index 4bd9af8..3f6db60 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.213 2005/03/10 22:01:05 deraadt Exp $");
+RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -58,6 +58,8 @@
/* -- channel core */
+#define CHAN_RBUF 16*1024
+
/*
* Pointer to an array containing all allocated channels. The array is
* dynamically extended as needed.
@@ -712,6 +714,9 @@
{
u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+ /* check buffer limits */
+ limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF));
+
if (c->istate == CHAN_INPUT_OPEN &&
limit > 0 &&
buffer_len(&c->input) < limit)
@@ -1360,7 +1365,7 @@
static int
channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
{
- char buf[16*1024];
+ char buf[CHAN_RBUF];
int len;
if (c->rfd != -1 &&
@@ -1454,7 +1459,7 @@
static int
channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
{
- char buf[16*1024];
+ char buf[CHAN_RBUF];
int len;
/** XXX handle drain efd, too */