Attachment 1591 Details for Bug 1380 – make c->path dynamic and nuke SSH_CHANNEL_PATH_LEN

[patch] make c->path dynamic and nuke SSH_CHANNEL_PATH_LEN

cpath-dynamic.diff (text/plain), 5.43 KB, created by Damien Miller on 2009-01-14 12:58:18 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2009-01-14 12:58:18 AEDT

Size: 5.43 KB

patch

obsolete

>Index: channels.h
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/channels.h,v
>retrieving revision 1.96
>diff -u -p -r1.96 channels.h
>--- channels.h	15 Jun 2008 20:06:26 -0000	1.96
>+++ channels.h	14 Jan 2009 01:55:20 -0000
>@@ -55,8 +55,6 @@
> #define SSH_CHANNEL_ZOMBIE		14	/* Almost dead. */
> #define SSH_CHANNEL_MAX_TYPE		15
> 
>-#define SSH_CHANNEL_PATH_LEN		256
>-
> struct Channel;
> typedef struct Channel Channel;
> 
>@@ -104,7 +102,7 @@ struct Channel {
> 	Buffer  output;		/* data received over encrypted connection for
> 				 * send on socket */
> 	Buffer  extended;
>-	char    path[SSH_CHANNEL_PATH_LEN];
>+	char    *path;
> 		/* path for unix domain sockets, or host name for forwards */
> 	int     listening_port;	/* port being listened for forwards */
> 	int     host_port;	/* remote port to connect for forwards */
>Index: channels.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/channels.c,v
>retrieving revision 1.292
>diff -u -p -r1.292 channels.c
>--- channels.c	14 Jan 2009 01:38:06 -0000	1.292
>+++ channels.c	14 Jan 2009 01:55:20 -0000
>@@ -291,6 +291,7 @@ channel_new(char *ctype, int type, int r
> 	buffer_init(&c->input);
> 	buffer_init(&c->output);
> 	buffer_init(&c->extended);
>+	c->path = NULL;
> 	c->ostate = CHAN_OUTPUT_OPEN;
> 	c->istate = CHAN_INPUT_OPEN;
> 	c->flags = 0;
>@@ -397,6 +398,10 @@ channel_free(Channel *c)
> 		xfree(c->remote_name);
> 		c->remote_name = NULL;
> 	}
>+	if (c->path) {
>+		xfree(c->path);
>+		c->path = NULL;
>+	}
> 	while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
> 		if (cc->abandon_cb != NULL)
> 			cc->abandon_cb(c, cc->ctx);
>@@ -1032,7 +1037,7 @@ channel_decode_socks4(Channel *c, fd_set
> 
> 	if (need == 1) {			/* SOCKS4: one string */
> 		host = inet_ntoa(s4_req.dest_addr);
>-		strlcpy(c->path, host, sizeof(c->path));
>+		c->path = xstrdup(host);
> 	} else {				/* SOCKS4A: two strings */
> 		have = buffer_len(&c->input);
> 		p = buffer_ptr(&c->input);
>@@ -1043,11 +1048,12 @@ channel_decode_socks4(Channel *c, fd_set
> 		if (len > have)
> 			fatal("channel %d: decode socks4a: len %d > have %d",
> 			    c->self, len, have);
>-		if (strlcpy(c->path, p, sizeof(c->path)) >= sizeof(c->path)) {
>+		if (len > NI_MAXHOST) {
> 			error("channel %d: hostname \"%.100s\" too long",
> 			    c->self, p);
> 			return -1;
> 		}
>+		c->path = xstrdup(p);
> 		buffer_consume(&c->input, len);
> 	}
> 	c->host_port = ntohs(s4_req.dest_port);
>@@ -1088,7 +1094,7 @@ channel_decode_socks5(Channel *c, fd_set
> 		u_int8_t atyp;
> 	} s5_req, s5_rsp;
> 	u_int16_t dest_port;
>-	u_char *p, dest_addr[255+1];
>+	u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
> 	u_int have, need, i, found, nmethods, addrlen, af;
> 
> 	debug2("channel %d: decode socks5", c->self);
>@@ -1161,10 +1167,18 @@ channel_decode_socks5(Channel *c, fd_set
> 	buffer_get(&c->input, (char *)&dest_addr, addrlen);
> 	buffer_get(&c->input, (char *)&dest_port, 2);
> 	dest_addr[addrlen] = '\0';
>-	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
>-		strlcpy(c->path, (char *)dest_addr, sizeof(c->path));
>-	else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL)
>-		return -1;
>+	if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
>+		if (addrlen > NI_MAXHOST - 1) {
>+			error("channel %d: dynamic request: socks5 hostname "
>+			    "\"%.100s\" too long", c->self, dest_addr);
>+			return -1;
>+		}
>+		c->path = xstrdup(dest_addr);
>+	} else {
>+		if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
>+			return -1;
>+		c->path = xstrdup(ntop);
>+	}
> 	c->host_port = ntohs(dest_port);
> 
> 	debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
>@@ -1393,7 +1407,7 @@ channel_post_port_listener(Channel *c, f
> 		    c->local_window_max, c->local_maxpacket, 0, rtype, 1);
> 		nc->listening_port = c->listening_port;
> 		nc->host_port = c->host_port;
>-		strlcpy(nc->path, c->path, sizeof(nc->path));
>+		nc->path = xstrdup(c->path);
> 
> 		if (nextstate == SSH_CHANNEL_DYNAMIC) {
> 			/*
>@@ -2432,7 +2446,7 @@ channel_setup_fwd_listener(int type, con
> 		error("No forward host name.");
> 		return 0;
> 	}
>-	if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
>+	if (strlen(host) > NI_MAXHOST) {
> 		error("Forward host name too long.");
> 		return 0;
> 	}
>@@ -2529,7 +2543,7 @@ channel_setup_fwd_listener(int type, con
> 		c = channel_new("port listener", type, sock, sock, -1,
> 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
> 		    0, "port listener", 1);
>-		strlcpy(c->path, host, sizeof(c->path));
>+		c->path = xstrdup(host);
> 		c->host_port = port_to_connect;
> 		c->listening_port = listen_port;
> 		success = 1;
>@@ -2551,8 +2565,7 @@ channel_cancel_rport_listener(const char
> 		Channel *c = channels[i];
> 
> 		if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
>-		    strncmp(c->path, host, sizeof(c->path)) == 0 &&
>-		    c->listening_port == port) {
>+		    strcmp(c->path, host) == 0 && c->listening_port == port) {
> 			debug2("%s: close channel %d", __func__, i);
> 			channel_free(c);
> 			found = 1;
>Index: session.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/session.c,v
>retrieving revision 1.244
>diff -u -p -r1.244 session.c
>--- session.c	9 Nov 2008 12:34:47 -0000	1.244
>+++ session.c	14 Jan 2009 01:55:21 -0000
>@@ -221,7 +221,7 @@ auth_input_request_forwarding(struct pas
> 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
> 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
> 	    0, "auth socket", 1);
>-	strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
>+	nc->path = xstrdup(auth_sock_name);
> 	return 1;
> 
>  authsock_err:

Actions: View | Diff

Attachments on bug 1380: 1367 | 1539 | 1540 | 1591