Bugzilla – Attachment 2843 Details for
Bug 2580
[PATCH] Support for MaxDisplays to replace artificial MAX_DISPLAYS limit
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cleaned up patch from Adam (whitespace, magic number)
openssh-6.6p1-x11-max-displays.patch (text/plain), 8.13 KB, created by
Jakub Jelen
on 2016-06-28 00:37:42 AEST
(
hide
)
Description:
cleaned up patch from Adam (whitespace, magic number)
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2016-06-28 00:37:42 AEST
Size:
8.13 KB
patch
obsolete
>diff --git a/channels.c b/channels.c >index d39123f..454954a 100644 >--- a/channels.c >+++ b/channels.c >@@ -148,8 +148,8 @@ static int all_opens_permitted = 0; > > /* -- X11 forwarding */ > >-/* Maximum number of fake X11 displays to try. */ >-#define MAX_DISPLAYS 1000 >+/* Minimum port number for X11 forwarding */ >+#define X11_PORT_MIN 6000 > > /* Saved X11 local (client) display. */ > static char *x11_saved_display = NULL; >@@ -3890,7 +3890,8 @@ channel_send_window_changes(void) > */ > int > x11_create_display_inet(int x11_display_offset, int x11_use_localhost, >- int single_connection, u_int *display_numberp, int **chanids) >+ int x11_max_displays, int single_connection, u_int *display_numberp, >+ int **chanids) > { > Channel *nc = NULL; > int display_number, sock; >@@ -3902,10 +3903,15 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, > if (chanids == NULL) > return -1; > >+ /* Try to bind ports starting at 6000+X11DisplayOffset */ >+ x11_max_displays = x11_max_displays + x11_display_offset; >+ > for (display_number = x11_display_offset; >- display_number < MAX_DISPLAYS; >+ display_number < x11_max_displays; > display_number++) { >- port = 6000 + display_number; >+ port = X11_PORT_MIN + display_number; >+ if (port < X11_PORT_MIN) /* overflow */ >+ break; > memset(&hints, 0, sizeof(hints)); > hints.ai_family = IPv4or6; > hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; >@@ -3957,7 +3963,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, > if (num_socks > 0) > break; > } >- if (display_number >= MAX_DISPLAYS) { >+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) { > error("Failed to allocate internet-domain X11 display socket."); > return -1; > } >@@ -4090,7 +4096,7 @@ x11_connect_display(void) > memset(&hints, 0, sizeof(hints)); > hints.ai_family = IPv4or6; > hints.ai_socktype = SOCK_STREAM; >- snprintf(strport, sizeof strport, "%u", 6000 + display_number); >+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number); > if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { > error("%.100s: unknown host. (%s)", buf, > ssh_gai_strerror(gaierr)); >@@ -4106,7 +4112,7 @@ x11_connect_display(void) > /* Connect it to the display. */ > if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { > debug2("connect %.100s port %u: %.100s", buf, >- 6000 + display_number, strerror(errno)); >+ X11_PORT_MIN + display_number, strerror(errno)); > close(sock); > continue; > } >@@ -4115,8 +4121,8 @@ x11_connect_display(void) > } > freeaddrinfo(aitop); > if (!ai) { >- error("connect %.100s port %u: %.100s", buf, 6000 + display_number, >- strerror(errno)); >+ error("connect %.100s port %u: %.100s", buf, >+ X11_PORT_MIN + display_number, strerror(errno)); > return -1; > } > set_nodelay(sock); >diff --git a/channels.h b/channels.h >index 9d76c9d..338a082 100644 >--- a/channels.h >+++ b/channels.h >@@ -286,7 +286,7 @@ int permitopen_port(const char *); > > void channel_set_x11_refuse_time(u_int); > int x11_connect_display(void); >-int x11_create_display_inet(int, int, int, u_int *, int **); >+int x11_create_display_inet(int, int, int, int, u_int *, int **); > int x11_input_open(int, u_int32_t, void *); > void x11_request_forwarding_with_spoofing(int, const char *, const char *, > const char *, int); >diff --git a/servconf.c b/servconf.c >index 9fcd75a..152ad75 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -96,6 +96,7 @@ initialize_server_options(ServerOptions *options) > options->print_lastlog = -1; > options->x11_forwarding = -1; > options->x11_display_offset = -1; >+ options->x11_max_displays = -1; > options->x11_use_localhost = -1; > options->permit_tty = -1; > options->permit_user_rc = -1; >@@ -251,6 +252,8 @@ fill_default_server_options(ServerOptions *options) > options->x11_forwarding = 0; > if (options->x11_display_offset == -1) > options->x11_display_offset = 10; >+ if (options->x11_max_displays == -1) >+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS; > if (options->x11_use_localhost == -1) > options->x11_use_localhost = 1; > if (options->xauth_location == NULL) >@@ -415,7 +418,7 @@ typedef enum { > sPasswordAuthentication, sKbdInteractiveAuthentication, > sListenAddress, sAddressFamily, > sPrintMotd, sPrintLastLog, sIgnoreRhosts, >- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, >+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost, > sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, > sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, >@@ -523,6 +526,7 @@ static struct { > { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, > { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, > { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, >+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL }, > { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, > { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, > { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, >@@ -1287,6 +1291,10 @@ process_server_config_line(ServerOptions *options, char *line, > intptr = &options->x11_display_offset; > goto parse_int; > >+ case sX11MaxDisplays: >+ intptr = &options->x11_max_displays; >+ goto parse_int; >+ > case sX11UseLocalhost: > intptr = &options->x11_use_localhost; > goto parse_flag; >@@ -2021,6 +2029,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > M_CP_INTOPT(fwd_opts.gateway_ports); > M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); > M_CP_INTOPT(x11_display_offset); >+ M_CP_INTOPT(x11_max_displays); > M_CP_INTOPT(x11_forwarding); > M_CP_INTOPT(x11_use_localhost); > M_CP_INTOPT(permit_tty); >@@ -2279,6 +2288,7 @@ dump_config(ServerOptions *o) > dump_cfg_int(sLoginGraceTime, o->login_grace_time); > dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); > dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); >+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays); > dump_cfg_int(sMaxAuthTries, o->max_authtries); > dump_cfg_int(sMaxSessions, o->max_sessions); > dump_cfg_int(sClientAliveInterval, o->client_alive_interval); >diff --git a/servconf.h b/servconf.h >index f4137af..8362e81 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -50,6 +50,7 @@ > > #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ > #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ >+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */ > > /* Magic name for internal sftp-server */ > #define INTERNAL_SFTP_NAME "internal-sftp" >@@ -82,6 +83,7 @@ typedef struct { > int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ > int x11_display_offset; /* What DISPLAY number to start > * searching at */ >+ int x11_max_displays; /* Number of displays to search */ > int x11_use_localhost; /* If true, use localhost for fake X11 server. */ > char *xauth_location; /* Location of xauth program */ > int permit_tty; /* If false, deny pty allocation */ >diff --git a/session.c b/session.c >index 2235f26..4137398 100644 >--- a/session.c >+++ b/session.c >@@ -2702,8 +2702,9 @@ session_setup_x11fwd(Session *s) > return 0; > } > if (x11_create_display_inet(options.x11_display_offset, >- options.x11_use_localhost, s->single_connection, >- &s->display_number, &s->x11_chanids) == -1) { >+ options.x11_use_localhost, options.x11_max_displays, >+ s->single_connection, &s->display_number, >+ &s->x11_chanids) == -1) { > debug("x11_create_display_inet failed."); > return 0; > } >diff --git a/sshd_config.5 b/sshd_config.5 >index babe2ae..6a5a8a7 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -1133,6 +1133,7 @@ Available keywords are > .Cm StreamLocalBindUnlink , > .Cm TrustedUserCAKeys , > .Cm X11DisplayOffset , >+.Cm X11MaxDisplays , > .Cm X11Forwarding > and > .Cm X11UseLocalHost . >@@ -1626,6 +1627,12 @@ Specifies the first display number available for > X11 forwarding. > This prevents sshd from interfering with real X11 servers. > The default is 10. >+.It Cm X11MaxDisplays >+Specifies the maximum number of displays available for >+.Xr sshd 8 Ns 's >+X11 forwarding. >+This prevents sshd from exhausting local ports. >+The default is 1000. > .It Cm X11Forwarding > Specifies whether X11 forwarding is permitted. > The argument must be
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2843">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2580
:
2821
|
2825
| 2843