openssh unix dev - Jul 2004 - channel->input buffer bug and patch

In our work with enabling large windows for openssh we found 

1) that if a window > 0x10000 is advertised to openssh's sshd
2) the sshd tries to send more than 0x10000 bytes of data
3) the receiver does not consume them
4) the input buffer will grow larger than the size allowed by buffer.c
and fatal().

We believe the correct behavior is to limit reading into the channel
input buffer to the maximum buffer size. Attached here is a patch, it
should work against CVS or portable.

diff -u openssh-3.8.1p1/channels.c openssh-3.8.1p1-bugfix/channels.c
--- openssh-3.8.1p1/channels.c  2004-01-20 19:02:09.000000000 -0500
+++ openssh-3.8.1p1-bugfix/channels.c   2004-07-13 09:37:20.000000000 -0400
@@ -702,6 +702,8 @@
 channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
 {
        u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+       if (limit > 0x10000)
+               limit = 0x10000;
 
        if (c->istate == CHAN_INPUT_OPEN &&
            limit > 0 &&
Common subdirectories: openssh-3.8.1p1/contrib and
openssh-3.8.1p1-bugfix/contrib
Common subdirectories: openssh-3.8.1p1/openbsd-compat and
openssh-3.8.1p1-bugfix/openbsd-compat
Common subdirectories: openssh-3.8.1p1/regress and
openssh-3.8.1p1-bugfix/regress
Common subdirectories: openssh-3.8.1p1/scard and openssh-3.8.1p1-bugfix/scard

On Tue, 13 Jul 2004, Michael Stevens wrote:
> In our work with enabling large windows for openssh we found
>
> 1) that if a window > 0x10000 is advertised to openssh's sshd
> 2) the sshd tries to send more than 0x10000 bytes of data
> 3) the receiver does not consume them
> 4) the input buffer will grow larger than the size allowed by buffer.c
> and fatal().
>
> We believe the correct behavior is to limit reading into the channel
> input buffer to the maximum buffer size. Attached here is a patch, it
> should work against CVS or portable.
>
> diff -u openssh-3.8.1p1/channels.c openssh-3.8.1p1-bugfix/channels.c
> --- openssh-3.8.1p1/channels.c  2004-01-20 19:02:09.000000000 -0500
> +++ openssh-3.8.1p1-bugfix/channels.c   2004-07-13 09:37:20.000000000 -0400
> @@ -702,6 +702,8 @@
>  channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
>  {
>         u_int limit = compat20 ? c->remote_window :
packet_get_maxsize();
> +       if (limit > 0x10000)
> +               limit = 0x10000;
>
I'm interested in which is returning a greater limit.  c->remote_window
or packet_get_maxsize() function.  Since both are used all over the place
for checking buffer sizes and such.  So if there is a limiting problem I
suspect this may be then the wrong place to handle it.

- Ben