Attachment #1239 for bug #1286




	memcpy(p, data, len);
}

/* Shuffle data to the start of the buffer. */

static void
buffer_defragment(Buffer *buffer)
{
	memmove(buffer->buf, buffer->buf + buffer->offset,
		buffer->end - buffer->offset);
	buffer->end -= buffer->offset;
	buffer->offset = 0;
}

/*
 * Appends space to the buffer, expanding the buffer if necessary. This does
 * not actually copy the data into the buffer, but instead returns a pointer

	 * data to the beginning and retry.
	 */
	if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
		buffer_defragment(buffer);
			buffer->end - buffer->offset);
		buffer->end -= buffer->offset;
		buffer->offset = 0;
		goto restart;
	}
	/* Increase the size of the buffer and retry. */

	/* Increase the size of the buffer and retry. */
	newlen = buffer->alloc + len + 32768;
	if (newlen > BUFFER_MAX_LEN) {
		if (buffer->offset > 0) {
			buffer_defragment(buffer);
			goto restart;
		} else {
			fatal("buffer_append_space: alloc %u not supported",
			      newlen);
		}
	}
	buffer->buf = xrealloc(buffer->buf, newlen);
	buffer->alloc = newlen;
	goto restart;

	return buffer->end - buffer->offset;
}

/* The maximum potential space left in buffer. */

u_int
buffer_potential_free_space(Buffer *buffer)
{
	return BUFFER_MAX_LEN - buffer_len(buffer);
}

/* Gets data from the beginning of the buffer. */

int

Lines 31-36 Link Here

(-)lala2/openssh-4.3p2/buffer.h (+1 lines)
31	void buffer_free(Buffer *);	31	void buffer_free(Buffer *);
32		32
33	u_int buffer_len(Buffer *);	33	u_int buffer_len(Buffer *);
		34	u_int buffer_potential_free_space(Buffer *);
34	void buffer_ptr(Buffer );	35	void buffer_ptr(Buffer );
35		36
36	void buffer_append(Buffer , const void , u_int);	37	void buffer_append(Buffer , const void , u_int);

Lines 1074-1080 Link Here

(-)lala2/openssh-4.3p2/sftp-server.c (-4 / +11 lines)
1074	memset(rset, 0, set_size);	1074	memset(rset, 0, set_size);
1075	memset(wset, 0, set_size);	1075	memset(wset, 0, set_size);
1076		1076
1077	FD_SET(in, rset);	1077	/* If the oqueue is close to full then we want to wait on just the output. */
		1078	if (buffer_potential_free_space(&oqueue) > SFTP_MAX_MSG_LENGTH + 4)
		1079	FD_SET(in, rset);
		1080
1078	olen = buffer_len(&oqueue);	1081	olen = buffer_len(&oqueue);
1079	if (olen > 0)	1082	if (olen > 0)
1080	FD_SET(out, wset);	1083	FD_SET(out, wset);
Lines 1086-1092 Link Here
1086	}	1089	}
1087		1090
1088	/* copy stdin to iqueue */	1091	/* copy stdin to iqueue */
1089	if (FD_ISSET(in, rset)) {	1092	if (buffer_potential_free_space(&iqueue) > SFTP_MAX_MSG_LENGTH + 4 &&
		1093	FD_ISSET(in, rset)) {
1090	char buf[4*4096];	1094	char buf[4*4096];
1091	len = read(in, buf, sizeof buf);	1095	len = read(in, buf, sizeof buf);
1092	if (len == 0) {	1096	if (len == 0) {
Lines 1109-1115 Link Here
1109	buffer_consume(&oqueue, len);	1113	buffer_consume(&oqueue, len);
1110	}	1114	}
1111	}	1115	}
1112	/* process requests from client */	1116	/* process requests from client. If the output buffer
1113	process();	1117	* is critical then don't create more data by
		1118	* processing more requests. */
		1119	if (buffer_potential_free_space(&oqueue) > SFTP_MAX_MSG_LENGTH + 4)
		1120	process();
1114	}	1121	}
1115	}	1122	}

Return to bug 1286

Lines 66-71 Link Here

(-)lala2/openssh-4.3p2/buffer.c (-8 / +30 lines)
66	memcpy(p, data, len);	66	memcpy(p, data, len);
67	}	67	}
68		68
		69	/* Shuffle data to the start of the buffer. */
		70
		71	static void
		72	buffer_defragment(Buffer *buffer)
		73	{
		74	memmove(buffer->buf, buffer->buf + buffer->offset,
		75	buffer->end - buffer->offset);
		76	buffer->end -= buffer->offset;
		77	buffer->offset = 0;
		78	}
		79
69	/*	80	/*
70	* Appends space to the buffer, expanding the buffer if necessary. This does	81	* Appends space to the buffer, expanding the buffer if necessary. This does
71	* not actually copy the data into the buffer, but instead returns a pointer	82	* not actually copy the data into the buffer, but instead returns a pointer
Lines 98-115 Link Here
98	* data to the beginning and retry.	109	* data to the beginning and retry.
99	*/	110	*/
100	if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {	111	if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
101	memmove(buffer->buf, buffer->buf + buffer->offset,	112	buffer_defragment(buffer);
102	buffer->end - buffer->offset);
103	buffer->end -= buffer->offset;
104	buffer->offset = 0;
105	goto restart;	113	goto restart;
106	}	114	}
107	/* Increase the size of the buffer and retry. */
108		115
		116	/* Increase the size of the buffer and retry. */
109	newlen = buffer->alloc + len + 32768;	117	newlen = buffer->alloc + len + 32768;
110	if (newlen > BUFFER_MAX_LEN)	118	if (newlen > BUFFER_MAX_LEN) {
111	fatal("buffer_append_space: alloc %u not supported",	119	if (buffer->offset > 0) {
112	newlen);	120	buffer_defragment(buffer);
		121	goto restart;
		122	} else {
		123	fatal("buffer_append_space: alloc %u not supported",
		124	newlen);
		125	}
		126	}
113	buffer->buf = xrealloc(buffer->buf, newlen);	127	buffer->buf = xrealloc(buffer->buf, newlen);
114	buffer->alloc = newlen;	128	buffer->alloc = newlen;
115	goto restart;	129	goto restart;
Lines 124-129 Link Here
124	return buffer->end - buffer->offset;	138	return buffer->end - buffer->offset;
125	}	139	}
126		140
		141	/* The maximum potential space left in buffer. */
		142
		143	u_int
		144	buffer_potential_free_space(Buffer *buffer)
		145	{
		146	return BUFFER_MAX_LEN - buffer_len(buffer);
		147	}
		148
127	/* Gets data from the beginning of the buffer. */	149	/* Gets data from the beginning of the buffer. */
128		150
129	int	151	int