File: | src/usr.bin/ssh/ssh/../channels.c |
Warning: | line 4013, column 3 Value stored to 'port_to_connect' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: channels.c,v 1.411 2022/01/06 21:48:38 djm Exp $ */ |
2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved |
6 | * This file contains functions for generic socket connection forwarding. |
7 | * There is also code for initiating connection forwarding for X11 connections, |
8 | * arbitrary tcp/ip connections, and the authentication agent connection. |
9 | * |
10 | * As far as I am concerned, the code I have written for this software |
11 | * can be used freely for any purpose. Any derived versions of this |
12 | * software must be clearly marked as such, and if the derived work is |
13 | * incompatible with the protocol description in the RFC file, it must be |
14 | * called by a name other than "ssh" or "Secure Shell". |
15 | * |
16 | * SSH2 support added by Markus Friedl. |
17 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
18 | * Copyright (c) 1999 Dug Song. All rights reserved. |
19 | * Copyright (c) 1999 Theo de Raadt. All rights reserved. |
20 | * |
21 | * Redistribution and use in source and binary forms, with or without |
22 | * modification, are permitted provided that the following conditions |
23 | * are met: |
24 | * 1. Redistributions of source code must retain the above copyright |
25 | * notice, this list of conditions and the following disclaimer. |
26 | * 2. Redistributions in binary form must reproduce the above copyright |
27 | * notice, this list of conditions and the following disclaimer in the |
28 | * documentation and/or other materials provided with the distribution. |
29 | * |
30 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
31 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
32 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
33 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
34 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
35 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
36 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
37 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
38 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
39 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
40 | */ |
41 | |
42 | #include <sys/types.h> |
43 | #include <sys/stat.h> |
44 | #include <sys/ioctl.h> |
45 | #include <sys/un.h> |
46 | #include <sys/socket.h> |
47 | #include <sys/time.h> |
48 | #include <sys/queue.h> |
49 | |
50 | #include <netinet/in.h> |
51 | #include <arpa/inet.h> |
52 | |
53 | #include <errno(*__errno()).h> |
54 | #include <fcntl.h> |
55 | #include <limits.h> |
56 | #include <netdb.h> |
57 | #include <poll.h> |
58 | #include <stdarg.h> |
59 | #include <stdint.h> |
60 | #include <stdio.h> |
61 | #include <stdlib.h> |
62 | #include <string.h> |
63 | #include <termios.h> |
64 | #include <unistd.h> |
65 | |
66 | #include "xmalloc.h" |
67 | #include "ssh.h" |
68 | #include "ssh2.h" |
69 | #include "ssherr.h" |
70 | #include "sshbuf.h" |
71 | #include "packet.h" |
72 | #include "log.h" |
73 | #include "misc.h" |
74 | #include "channels.h" |
75 | #include "compat.h" |
76 | #include "canohost.h" |
77 | #include "sshkey.h" |
78 | #include "authfd.h" |
79 | #include "pathnames.h" |
80 | #include "match.h" |
81 | |
82 | /* XXX remove once we're satisfied there's no lurking bugs */ |
83 | /* #define DEBUG_CHANNEL_POLL 1 */ |
84 | |
85 | /* -- agent forwarding */ |
86 | #define NUM_SOCKS10 10 |
87 | |
88 | /* -- tcp forwarding */ |
89 | /* special-case port number meaning allow any port */ |
90 | #define FWD_PERMIT_ANY_PORT0 0 |
91 | |
92 | /* special-case wildcard meaning allow any host */ |
93 | #define FWD_PERMIT_ANY_HOST"*" "*" |
94 | |
95 | /* -- X11 forwarding */ |
96 | /* Maximum number of fake X11 displays to try. */ |
97 | #define MAX_DISPLAYS1000 1000 |
98 | |
99 | /* Per-channel callback for pre/post IO actions */ |
100 | typedef void chan_fn(struct ssh *, Channel *c); |
101 | |
102 | /* |
103 | * Data structure for storing which hosts are permitted for forward requests. |
104 | * The local sides of any remote forwards are stored in this array to prevent |
105 | * a corrupt remote server from accessing arbitrary TCP/IP ports on our local |
106 | * network (which might be behind a firewall). |
107 | */ |
108 | /* XXX: streamlocal wants a path instead of host:port */ |
109 | /* Overload host_to_connect; we could just make this match Forward */ |
110 | /* XXX - can we use listen_host instead of listen_path? */ |
111 | struct permission { |
112 | char *host_to_connect; /* Connect to 'host'. */ |
113 | int port_to_connect; /* Connect to 'port'. */ |
114 | char *listen_host; /* Remote side should listen address. */ |
115 | char *listen_path; /* Remote side should listen path. */ |
116 | int listen_port; /* Remote side should listen port. */ |
117 | Channel *downstream; /* Downstream mux*/ |
118 | }; |
119 | |
120 | /* |
121 | * Stores the forwarding permission state for a single direction (local or |
122 | * remote). |
123 | */ |
124 | struct permission_set { |
125 | /* |
126 | * List of all local permitted host/port pairs to allow for the |
127 | * user. |
128 | */ |
129 | u_int num_permitted_user; |
130 | struct permission *permitted_user; |
131 | |
132 | /* |
133 | * List of all permitted host/port pairs to allow for the admin. |
134 | */ |
135 | u_int num_permitted_admin; |
136 | struct permission *permitted_admin; |
137 | |
138 | /* |
139 | * If this is true, all opens/listens are permitted. This is the |
140 | * case on the server on which we have to trust the client anyway, |
141 | * and the user could do anything after logging in. |
142 | */ |
143 | int all_permitted; |
144 | }; |
145 | |
146 | /* Master structure for channels state */ |
147 | struct ssh_channels { |
148 | /* |
149 | * Pointer to an array containing all allocated channels. The array |
150 | * is dynamically extended as needed. |
151 | */ |
152 | Channel **channels; |
153 | |
154 | /* |
155 | * Size of the channel array. All slots of the array must always be |
156 | * initialized (at least the type field); unused slots set to NULL |
157 | */ |
158 | u_int channels_alloc; |
159 | |
160 | /* |
161 | * 'channel_pre*' are called just before IO to add any bits |
162 | * relevant to channels in the c->io_want bitmasks. |
163 | * |
164 | * 'channel_post*': perform any appropriate operations for |
165 | * channels which have c->io_ready events pending. |
166 | */ |
167 | chan_fn **channel_pre; |
168 | chan_fn **channel_post; |
169 | |
170 | /* -- tcp forwarding */ |
171 | struct permission_set local_perms; |
172 | struct permission_set remote_perms; |
173 | |
174 | /* -- X11 forwarding */ |
175 | |
176 | /* Saved X11 local (client) display. */ |
177 | char *x11_saved_display; |
178 | |
179 | /* Saved X11 authentication protocol name. */ |
180 | char *x11_saved_proto; |
181 | |
182 | /* Saved X11 authentication data. This is the real data. */ |
183 | char *x11_saved_data; |
184 | u_int x11_saved_data_len; |
185 | |
186 | /* Deadline after which all X11 connections are refused */ |
187 | u_int x11_refuse_time; |
188 | |
189 | /* |
190 | * Fake X11 authentication data. This is what the server will be |
191 | * sending us; we should replace any occurrences of this by the |
192 | * real data. |
193 | */ |
194 | u_char *x11_fake_data; |
195 | u_int x11_fake_data_len; |
196 | |
197 | /* AF_UNSPEC or AF_INET or AF_INET6 */ |
198 | int IPv4or6; |
199 | }; |
200 | |
201 | /* helper */ |
202 | static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype); |
203 | static const char *channel_rfwd_bind_host(const char *listen_host); |
204 | |
205 | /* non-blocking connect helpers */ |
206 | static int connect_next(struct channel_connect *); |
207 | static void channel_connect_ctx_free(struct channel_connect *); |
208 | static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); |
209 | static int rdynamic_connect_finish(struct ssh *, Channel *); |
210 | |
211 | /* Setup helper */ |
212 | static void channel_handler_init(struct ssh_channels *sc); |
213 | |
214 | /* -- channel core */ |
215 | |
216 | void |
217 | channel_init_channels(struct ssh *ssh) |
218 | { |
219 | struct ssh_channels *sc; |
220 | |
221 | if ((sc = calloc(1, sizeof(*sc))) == NULL((void *)0)) |
222 | fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 222 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed"); |
223 | sc->channels_alloc = 10; |
224 | sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); |
225 | sc->IPv4or6 = AF_UNSPEC0; |
226 | channel_handler_init(sc); |
227 | |
228 | ssh->chanctxt = sc; |
229 | } |
230 | |
231 | Channel * |
232 | channel_by_id(struct ssh *ssh, int id) |
233 | { |
234 | Channel *c; |
235 | |
236 | if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) { |
237 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 237 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
238 | return NULL((void *)0); |
239 | } |
240 | c = ssh->chanctxt->channels[id]; |
241 | if (c == NULL((void *)0)) { |
242 | logit_f("%d: bad id: channel free", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 242 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id: channel free" , id); |
243 | return NULL((void *)0); |
244 | } |
245 | return c; |
246 | } |
247 | |
248 | Channel * |
249 | channel_by_remote_id(struct ssh *ssh, u_int remote_id) |
250 | { |
251 | Channel *c; |
252 | u_int i; |
253 | |
254 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
255 | c = ssh->chanctxt->channels[i]; |
256 | if (c != NULL((void *)0) && c->have_remote_id && c->remote_id == remote_id) |
257 | return c; |
258 | } |
259 | return NULL((void *)0); |
260 | } |
261 | |
262 | /* |
263 | * Returns the channel if it is allowed to receive protocol messages. |
264 | * Private channels, like listening sockets, may not receive messages. |
265 | */ |
266 | Channel * |
267 | channel_lookup(struct ssh *ssh, int id) |
268 | { |
269 | Channel *c; |
270 | |
271 | if ((c = channel_by_id(ssh, id)) == NULL((void *)0)) |
272 | return NULL((void *)0); |
273 | |
274 | switch (c->type) { |
275 | case SSH_CHANNEL_X11_OPEN7: |
276 | case SSH_CHANNEL_LARVAL10: |
277 | case SSH_CHANNEL_CONNECTING12: |
278 | case SSH_CHANNEL_DYNAMIC13: |
279 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
280 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
281 | case SSH_CHANNEL_OPENING3: |
282 | case SSH_CHANNEL_OPEN4: |
283 | case SSH_CHANNEL_ABANDONED17: |
284 | case SSH_CHANNEL_MUX_PROXY20: |
285 | return c; |
286 | } |
287 | logit("Non-public channel %d, type %d.", id, c->type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 287 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Non-public channel %d, type %d." , id, c->type); |
288 | return NULL((void *)0); |
289 | } |
290 | |
291 | /* |
292 | * Register filedescriptors for a channel, used when allocating a channel or |
293 | * when the channel consumer/producer is ready, e.g. shell exec'd |
294 | */ |
295 | static void |
296 | channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, |
297 | int extusage, int nonblock, int is_tty) |
298 | { |
299 | if (rfd != -1) |
300 | fcntl(rfd, F_SETFD2, FD_CLOEXEC1); |
301 | if (wfd != -1 && wfd != rfd) |
302 | fcntl(wfd, F_SETFD2, FD_CLOEXEC1); |
303 | if (efd != -1 && efd != rfd && efd != wfd) |
304 | fcntl(efd, F_SETFD2, FD_CLOEXEC1); |
305 | |
306 | c->rfd = rfd; |
307 | c->wfd = wfd; |
308 | c->sock = (rfd == wfd) ? rfd : -1; |
309 | c->efd = efd; |
310 | c->extended_usage = extusage; |
311 | |
312 | if ((c->isatty = is_tty) != 0) |
313 | debug2("channel %d: rfd %d isatty", c->self, c->rfd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 313 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rfd %d isatty" , c->self, c->rfd); |
314 | |
315 | /* enable nonblocking mode */ |
316 | c->restore_block = 0; |
317 | if (nonblock == CHANNEL_NONBLOCK_STDIO2) { |
318 | /* |
319 | * Special handling for stdio file descriptors: do not set |
320 | * non-blocking mode if they are TTYs. Otherwise prepare to |
321 | * restore their blocking state on exit to avoid interfering |
322 | * with other programs that follow. |
323 | */ |
324 | if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL3) == 0) { |
325 | c->restore_block |= CHANNEL_RESTORE_RFD0x01; |
326 | set_nonblock(rfd); |
327 | } |
328 | if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL3) == 0) { |
329 | c->restore_block |= CHANNEL_RESTORE_WFD0x02; |
330 | set_nonblock(wfd); |
331 | } |
332 | if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL3) == 0) { |
333 | c->restore_block |= CHANNEL_RESTORE_EFD0x04; |
334 | set_nonblock(efd); |
335 | } |
336 | } else if (nonblock) { |
337 | if (rfd != -1) |
338 | set_nonblock(rfd); |
339 | if (wfd != -1) |
340 | set_nonblock(wfd); |
341 | if (efd != -1) |
342 | set_nonblock(efd); |
343 | } |
344 | } |
345 | |
346 | /* |
347 | * Allocate a new channel object and set its type and socket. This will cause |
348 | * remote_name to be freed. |
349 | */ |
350 | Channel * |
351 | channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, |
352 | u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) |
353 | { |
354 | struct ssh_channels *sc = ssh->chanctxt; |
355 | u_int i, found; |
356 | Channel *c; |
357 | int r; |
358 | |
359 | /* Try to find a free slot where to put the new channel. */ |
360 | for (i = 0; i < sc->channels_alloc; i++) { |
361 | if (sc->channels[i] == NULL((void *)0)) { |
362 | /* Found a free slot. */ |
363 | found = i; |
364 | break; |
365 | } |
366 | } |
367 | if (i >= sc->channels_alloc) { |
368 | /* |
369 | * There are no free slots. Take last+1 slot and expand |
370 | * the array. |
371 | */ |
372 | found = sc->channels_alloc; |
373 | if (sc->channels_alloc > CHANNELS_MAX_CHANNELS(16*1024)) |
374 | fatal_f("internal error: channels_alloc %d too big",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 375 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc) |
375 | sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 375 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc); |
376 | sc->channels = xrecallocarray(sc->channels, sc->channels_alloc, |
377 | sc->channels_alloc + 10, sizeof(*sc->channels)); |
378 | sc->channels_alloc += 10; |
379 | debug2("channel: expanding %d", sc->channels_alloc)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 379 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel: expanding %d" , sc->channels_alloc); |
380 | } |
381 | /* Initialize and return new channel. */ |
382 | c = sc->channels[found] = xcalloc(1, sizeof(Channel)); |
383 | if ((c->input = sshbuf_new()) == NULL((void *)0) || |
384 | (c->output = sshbuf_new()) == NULL((void *)0) || |
385 | (c->extended = sshbuf_new()) == NULL((void *)0)) |
386 | fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 386 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new failed"); |
387 | if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX(16*1024*1024))) != 0) |
388 | fatal_fr(r, "sshbuf_set_max_size")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 388 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_set_max_size"); |
389 | c->ostate = CHAN_OUTPUT_OPEN0; |
390 | c->istate = CHAN_INPUT_OPEN0; |
391 | channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); |
392 | c->self = found; |
393 | c->type = type; |
394 | c->ctype = ctype; |
395 | c->local_window = window; |
396 | c->local_window_max = window; |
397 | c->local_maxpacket = maxpack; |
398 | c->remote_name = xstrdup(remote_name); |
399 | c->ctl_chan = -1; |
400 | c->delayed = 1; /* prevent call to channel_post handler */ |
401 | TAILQ_INIT(&c->status_confirms)do { (&c->status_confirms)->tqh_first = ((void *)0) ; (&c->status_confirms)->tqh_last = &(&c-> status_confirms)->tqh_first; } while (0); |
402 | debug("channel %d: new [%s]", found, remote_name)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 402 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: new [%s]" , found, remote_name); |
403 | return c; |
404 | } |
405 | |
406 | int |
407 | channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) |
408 | { |
409 | int ret, fd = *fdp; |
410 | |
411 | if (fd == -1) |
412 | return 0; |
413 | |
414 | if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD0x01) != 0) || |
415 | (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD0x02) != 0) || |
416 | (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD0x04) != 0)) |
417 | (void)fcntl(*fdp, F_SETFL4, 0); /* restore blocking */ |
418 | |
419 | if (*fdp == c->rfd) { |
420 | c->io_want &= ~SSH_CHAN_IO_RFD0x01; |
421 | c->io_ready &= ~SSH_CHAN_IO_RFD0x01; |
422 | c->rfd = -1; |
423 | } |
424 | if (*fdp == c->wfd) { |
425 | c->io_want &= ~SSH_CHAN_IO_WFD0x02; |
426 | c->io_ready &= ~SSH_CHAN_IO_WFD0x02; |
427 | c->wfd = -1; |
428 | } |
429 | if (*fdp == c->efd) { |
430 | c->io_want &= ~SSH_CHAN_IO_EFD(0x04|0x08); |
431 | c->io_ready &= ~SSH_CHAN_IO_EFD(0x04|0x08); |
432 | c->efd = -1; |
433 | } |
434 | if (*fdp == c->sock) { |
435 | c->io_want &= ~SSH_CHAN_IO_SOCK(0x10|0x20); |
436 | c->io_ready &= ~SSH_CHAN_IO_SOCK(0x10|0x20); |
437 | c->sock = -1; |
438 | } |
439 | |
440 | ret = close(fd); |
441 | *fdp = -1; /* probably redundant */ |
442 | return ret; |
443 | } |
444 | |
445 | /* Close all channel fd/socket. */ |
446 | static void |
447 | channel_close_fds(struct ssh *ssh, Channel *c) |
448 | { |
449 | int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; |
450 | |
451 | channel_close_fd(ssh, c, &c->sock); |
452 | if (rfd != sock) |
453 | channel_close_fd(ssh, c, &c->rfd); |
454 | if (wfd != sock && wfd != rfd) |
455 | channel_close_fd(ssh, c, &c->wfd); |
456 | if (efd != sock && efd != rfd && efd != wfd) |
457 | channel_close_fd(ssh, c, &c->efd); |
458 | } |
459 | |
460 | static void |
461 | fwd_perm_clear(struct permission *perm) |
462 | { |
463 | free(perm->host_to_connect); |
464 | free(perm->listen_host); |
465 | free(perm->listen_path); |
466 | memset(perm, 0, sizeof(*perm)); |
467 | } |
468 | |
469 | /* Returns an printable name for the specified forwarding permission list */ |
470 | static const char * |
471 | fwd_ident(int who, int where) |
472 | { |
473 | if (who == FORWARD_ADM0x100) { |
474 | if (where == FORWARD_LOCAL(1<<1)) |
475 | return "admin local"; |
476 | else if (where == FORWARD_REMOTE(1)) |
477 | return "admin remote"; |
478 | } else if (who == FORWARD_USER0x101) { |
479 | if (where == FORWARD_LOCAL(1<<1)) |
480 | return "user local"; |
481 | else if (where == FORWARD_REMOTE(1)) |
482 | return "user remote"; |
483 | } |
484 | fatal("Unknown forward permission list %d/%d", who, where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 484 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "Unknown forward permission list %d/%d" , who, where); |
485 | } |
486 | |
487 | /* Returns the forwarding permission list for the specified direction */ |
488 | static struct permission_set * |
489 | permission_set_get(struct ssh *ssh, int where) |
490 | { |
491 | struct ssh_channels *sc = ssh->chanctxt; |
492 | |
493 | switch (where) { |
494 | case FORWARD_LOCAL(1<<1): |
495 | return &sc->local_perms; |
496 | break; |
497 | case FORWARD_REMOTE(1): |
498 | return &sc->remote_perms; |
499 | break; |
500 | default: |
501 | fatal_f("invalid forwarding direction %d", where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 501 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding direction %d" , where); |
502 | } |
503 | } |
504 | |
505 | /* Returns pointers to the specified forwarding list and its element count */ |
506 | static void |
507 | permission_set_get_array(struct ssh *ssh, int who, int where, |
508 | struct permission ***permpp, u_int **npermpp) |
509 | { |
510 | struct permission_set *pset = permission_set_get(ssh, where); |
511 | |
512 | switch (who) { |
513 | case FORWARD_USER0x101: |
514 | *permpp = &pset->permitted_user; |
515 | *npermpp = &pset->num_permitted_user; |
516 | break; |
517 | case FORWARD_ADM0x100: |
518 | *permpp = &pset->permitted_admin; |
519 | *npermpp = &pset->num_permitted_admin; |
520 | break; |
521 | default: |
522 | fatal_f("invalid forwarding client %d", who)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 522 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding client %d" , who); |
523 | } |
524 | } |
525 | |
526 | /* Adds an entry to the specified forwarding list */ |
527 | static int |
528 | permission_set_add(struct ssh *ssh, int who, int where, |
529 | const char *host_to_connect, int port_to_connect, |
530 | const char *listen_host, const char *listen_path, int listen_port, |
531 | Channel *downstream) |
532 | { |
533 | struct permission **permp; |
534 | u_int n, *npermp; |
535 | |
536 | permission_set_get_array(ssh, who, where, &permp, &npermp); |
537 | |
538 | if (*npermp >= INT_MAX2147483647) |
539 | fatal_f("%s overflow", fwd_ident(who, where))sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 539 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%s overflow", fwd_ident (who, where)); |
540 | |
541 | *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp)); |
542 | n = (*npermp)++; |
543 | #define MAYBE_DUP(s) ((s == NULL((void *)0)) ? NULL((void *)0) : xstrdup(s)) |
544 | (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect); |
545 | (*permp)[n].port_to_connect = port_to_connect; |
546 | (*permp)[n].listen_host = MAYBE_DUP(listen_host); |
547 | (*permp)[n].listen_path = MAYBE_DUP(listen_path); |
548 | (*permp)[n].listen_port = listen_port; |
549 | (*permp)[n].downstream = downstream; |
550 | #undef MAYBE_DUP |
551 | return (int)n; |
552 | } |
553 | |
554 | static void |
555 | mux_remove_remote_forwardings(struct ssh *ssh, Channel *c) |
556 | { |
557 | struct ssh_channels *sc = ssh->chanctxt; |
558 | struct permission_set *pset = &sc->local_perms; |
559 | struct permission *perm; |
560 | int r; |
561 | u_int i; |
562 | |
563 | for (i = 0; i < pset->num_permitted_user; i++) { |
564 | perm = &pset->permitted_user[i]; |
565 | if (perm->downstream != c) |
566 | continue; |
567 | |
568 | /* cancel on the server, since mux client is gone */ |
569 | debug("channel %d: cleanup remote forward for %s:%u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 570 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port) |
570 | c->self, perm->listen_host, perm->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 570 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port); |
571 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
572 | (r = sshpkt_put_cstring(ssh, |
573 | "cancel-tcpip-forward")) != 0 || |
574 | (r = sshpkt_put_u8(ssh, 0)) != 0 || |
575 | (r = sshpkt_put_cstring(ssh, |
576 | channel_rfwd_bind_host(perm->listen_host))) != 0 || |
577 | (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 || |
578 | (r = sshpkt_send(ssh)) != 0) { |
579 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 579 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
580 | } |
581 | fwd_perm_clear(perm); /* unregister */ |
582 | } |
583 | } |
584 | |
585 | /* Free the channel and close its fd/socket. */ |
586 | void |
587 | channel_free(struct ssh *ssh, Channel *c) |
588 | { |
589 | struct ssh_channels *sc = ssh->chanctxt; |
590 | char *s; |
591 | u_int i, n; |
592 | Channel *other; |
593 | struct channel_confirm *cc; |
594 | |
595 | for (n = 0, i = 0; i < sc->channels_alloc; i++) { |
596 | if ((other = sc->channels[i]) == NULL((void *)0)) |
597 | continue; |
598 | n++; |
599 | /* detach from mux client and prepare for closing */ |
600 | if (c->type == SSH_CHANNEL_MUX_CLIENT16 && |
601 | other->type == SSH_CHANNEL_MUX_PROXY20 && |
602 | other->mux_ctx == c) { |
603 | other->mux_ctx = NULL((void *)0); |
604 | other->type = SSH_CHANNEL_OPEN4; |
605 | other->istate = CHAN_INPUT_CLOSED3; |
606 | other->ostate = CHAN_OUTPUT_CLOSED3; |
607 | } |
608 | } |
609 | debug("channel %d: free: %s, nchannels %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 610 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n ) |
610 | c->remote_name ? c->remote_name : "???", n)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 610 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n ); |
611 | |
612 | if (c->type == SSH_CHANNEL_MUX_CLIENT16) { |
613 | mux_remove_remote_forwardings(ssh, c); |
614 | free(c->mux_ctx); |
615 | c->mux_ctx = NULL((void *)0); |
616 | } else if (c->type == SSH_CHANNEL_MUX_LISTENER15) { |
617 | free(c->mux_ctx); |
618 | c->mux_ctx = NULL((void *)0); |
619 | } |
620 | |
621 | if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) { |
622 | s = channel_open_message(ssh); |
623 | debug3("channel %d: status: %s", c->self, s)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 623 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: status: %s" , c->self, s); |
624 | free(s); |
625 | } |
626 | |
627 | channel_close_fds(ssh, c); |
628 | sshbuf_free(c->input); |
629 | sshbuf_free(c->output); |
630 | sshbuf_free(c->extended); |
631 | c->input = c->output = c->extended = NULL((void *)0); |
632 | free(c->remote_name); |
633 | c->remote_name = NULL((void *)0); |
634 | free(c->path); |
635 | c->path = NULL((void *)0); |
636 | free(c->listening_addr); |
637 | c->listening_addr = NULL((void *)0); |
638 | while ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) != NULL((void *)0)) { |
639 | if (cc->abandon_cb != NULL((void *)0)) |
640 | cc->abandon_cb(ssh, c, cc->ctx); |
641 | TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void *)0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; *(cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0); |
642 | freezero(cc, sizeof(*cc)); |
643 | } |
644 | if (c->filter_cleanup != NULL((void *)0) && c->filter_ctx != NULL((void *)0)) |
645 | c->filter_cleanup(ssh, c->self, c->filter_ctx); |
646 | sc->channels[c->self] = NULL((void *)0); |
647 | freezero(c, sizeof(*c)); |
648 | } |
649 | |
650 | void |
651 | channel_free_all(struct ssh *ssh) |
652 | { |
653 | u_int i; |
654 | struct ssh_channels *sc = ssh->chanctxt; |
655 | |
656 | for (i = 0; i < sc->channels_alloc; i++) |
657 | if (sc->channels[i] != NULL((void *)0)) |
658 | channel_free(ssh, sc->channels[i]); |
659 | |
660 | free(sc->channels); |
661 | sc->channels = NULL((void *)0); |
662 | sc->channels_alloc = 0; |
663 | |
664 | free(sc->x11_saved_display); |
665 | sc->x11_saved_display = NULL((void *)0); |
666 | |
667 | free(sc->x11_saved_proto); |
668 | sc->x11_saved_proto = NULL((void *)0); |
669 | |
670 | free(sc->x11_saved_data); |
671 | sc->x11_saved_data = NULL((void *)0); |
672 | sc->x11_saved_data_len = 0; |
673 | |
674 | free(sc->x11_fake_data); |
675 | sc->x11_fake_data = NULL((void *)0); |
676 | sc->x11_fake_data_len = 0; |
677 | } |
678 | |
679 | /* |
680 | * Closes the sockets/fds of all channels. This is used to close extra file |
681 | * descriptors after a fork. |
682 | */ |
683 | void |
684 | channel_close_all(struct ssh *ssh) |
685 | { |
686 | u_int i; |
687 | |
688 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) |
689 | if (ssh->chanctxt->channels[i] != NULL((void *)0)) |
690 | channel_close_fds(ssh, ssh->chanctxt->channels[i]); |
691 | } |
692 | |
693 | /* |
694 | * Stop listening to channels. |
695 | */ |
696 | void |
697 | channel_stop_listening(struct ssh *ssh) |
698 | { |
699 | u_int i; |
700 | Channel *c; |
701 | |
702 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
703 | c = ssh->chanctxt->channels[i]; |
704 | if (c != NULL((void *)0)) { |
705 | switch (c->type) { |
706 | case SSH_CHANNEL_AUTH_SOCKET6: |
707 | case SSH_CHANNEL_PORT_LISTENER2: |
708 | case SSH_CHANNEL_RPORT_LISTENER11: |
709 | case SSH_CHANNEL_X11_LISTENER1: |
710 | case SSH_CHANNEL_UNIX_LISTENER18: |
711 | case SSH_CHANNEL_RUNIX_LISTENER19: |
712 | channel_close_fd(ssh, c, &c->sock); |
713 | channel_free(ssh, c); |
714 | break; |
715 | } |
716 | } |
717 | } |
718 | } |
719 | |
720 | /* |
721 | * Returns true if no channel has too much buffered data, and false if one or |
722 | * more channel is overfull. |
723 | */ |
724 | int |
725 | channel_not_very_much_buffered_data(struct ssh *ssh) |
726 | { |
727 | u_int i; |
728 | u_int maxsize = ssh_packet_get_maxsize(ssh); |
729 | Channel *c; |
730 | |
731 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
732 | c = ssh->chanctxt->channels[i]; |
733 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_OPEN4) |
734 | continue; |
735 | if (sshbuf_len(c->output) > maxsize) { |
736 | debug2("channel %d: big output buffer %zu > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 737 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize) |
737 | c->self, sshbuf_len(c->output), maxsize)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 737 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize); |
738 | return 0; |
739 | } |
740 | } |
741 | return 1; |
742 | } |
743 | |
744 | /* Returns true if any channel is still open. */ |
745 | int |
746 | channel_still_open(struct ssh *ssh) |
747 | { |
748 | u_int i; |
749 | Channel *c; |
750 | |
751 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
752 | c = ssh->chanctxt->channels[i]; |
753 | if (c == NULL((void *)0)) |
754 | continue; |
755 | switch (c->type) { |
756 | case SSH_CHANNEL_X11_LISTENER1: |
757 | case SSH_CHANNEL_PORT_LISTENER2: |
758 | case SSH_CHANNEL_RPORT_LISTENER11: |
759 | case SSH_CHANNEL_MUX_LISTENER15: |
760 | case SSH_CHANNEL_CLOSED5: |
761 | case SSH_CHANNEL_AUTH_SOCKET6: |
762 | case SSH_CHANNEL_DYNAMIC13: |
763 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
764 | case SSH_CHANNEL_CONNECTING12: |
765 | case SSH_CHANNEL_ZOMBIE14: |
766 | case SSH_CHANNEL_ABANDONED17: |
767 | case SSH_CHANNEL_UNIX_LISTENER18: |
768 | case SSH_CHANNEL_RUNIX_LISTENER19: |
769 | continue; |
770 | case SSH_CHANNEL_LARVAL10: |
771 | continue; |
772 | case SSH_CHANNEL_OPENING3: |
773 | case SSH_CHANNEL_OPEN4: |
774 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
775 | case SSH_CHANNEL_X11_OPEN7: |
776 | case SSH_CHANNEL_MUX_CLIENT16: |
777 | case SSH_CHANNEL_MUX_PROXY20: |
778 | return 1; |
779 | default: |
780 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 780 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
781 | /* NOTREACHED */ |
782 | } |
783 | } |
784 | return 0; |
785 | } |
786 | |
787 | /* Returns the id of an open channel suitable for keepaliving */ |
788 | int |
789 | channel_find_open(struct ssh *ssh) |
790 | { |
791 | u_int i; |
792 | Channel *c; |
793 | |
794 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
795 | c = ssh->chanctxt->channels[i]; |
796 | if (c == NULL((void *)0) || !c->have_remote_id) |
797 | continue; |
798 | switch (c->type) { |
799 | case SSH_CHANNEL_CLOSED5: |
800 | case SSH_CHANNEL_DYNAMIC13: |
801 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
802 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
803 | case SSH_CHANNEL_X11_LISTENER1: |
804 | case SSH_CHANNEL_PORT_LISTENER2: |
805 | case SSH_CHANNEL_RPORT_LISTENER11: |
806 | case SSH_CHANNEL_MUX_LISTENER15: |
807 | case SSH_CHANNEL_MUX_CLIENT16: |
808 | case SSH_CHANNEL_MUX_PROXY20: |
809 | case SSH_CHANNEL_OPENING3: |
810 | case SSH_CHANNEL_CONNECTING12: |
811 | case SSH_CHANNEL_ZOMBIE14: |
812 | case SSH_CHANNEL_ABANDONED17: |
813 | case SSH_CHANNEL_UNIX_LISTENER18: |
814 | case SSH_CHANNEL_RUNIX_LISTENER19: |
815 | continue; |
816 | case SSH_CHANNEL_LARVAL10: |
817 | case SSH_CHANNEL_AUTH_SOCKET6: |
818 | case SSH_CHANNEL_OPEN4: |
819 | case SSH_CHANNEL_X11_OPEN7: |
820 | return i; |
821 | default: |
822 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 822 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
823 | /* NOTREACHED */ |
824 | } |
825 | } |
826 | return -1; |
827 | } |
828 | |
829 | /* Returns the state of the channel's extended usage flag */ |
830 | const char * |
831 | channel_format_extended_usage(const Channel *c) |
832 | { |
833 | if (c->efd == -1) |
834 | return "closed"; |
835 | |
836 | switch (c->extended_usage) { |
837 | case CHAN_EXTENDED_WRITE2: |
838 | return "write"; |
839 | case CHAN_EXTENDED_READ1: |
840 | return "read"; |
841 | case CHAN_EXTENDED_IGNORE0: |
842 | return "ignore"; |
843 | default: |
844 | return "UNKNOWN"; |
845 | } |
846 | } |
847 | |
848 | static char * |
849 | channel_format_status(const Channel *c) |
850 | { |
851 | char *ret = NULL((void *)0); |
852 | |
853 | xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu " |
854 | "fd %d/%d/%d sock %d cc %d io 0x%02x/0x%02x", |
855 | c->type, |
856 | c->have_remote_id ? "r" : "nr", c->remote_id, |
857 | c->istate, sshbuf_len(c->input), |
858 | c->ostate, sshbuf_len(c->output), |
859 | channel_format_extended_usage(c), sshbuf_len(c->extended), |
860 | c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, |
861 | c->io_want, c->io_ready); |
862 | return ret; |
863 | } |
864 | |
865 | /* |
866 | * Returns a message describing the currently open forwarded connections, |
867 | * suitable for sending to the client. The message contains crlf pairs for |
868 | * newlines. |
869 | */ |
870 | char * |
871 | channel_open_message(struct ssh *ssh) |
872 | { |
873 | struct sshbuf *buf; |
874 | Channel *c; |
875 | u_int i; |
876 | int r; |
877 | char *cp, *ret; |
878 | |
879 | if ((buf = sshbuf_new()) == NULL((void *)0)) |
880 | fatal_f("sshbuf_new")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 880 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new"); |
881 | if ((r = sshbuf_putf(buf, |
882 | "The following connections are open:\r\n")) != 0) |
883 | fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 883 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf"); |
884 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
885 | c = ssh->chanctxt->channels[i]; |
886 | if (c == NULL((void *)0)) |
887 | continue; |
888 | switch (c->type) { |
889 | case SSH_CHANNEL_X11_LISTENER1: |
890 | case SSH_CHANNEL_PORT_LISTENER2: |
891 | case SSH_CHANNEL_RPORT_LISTENER11: |
892 | case SSH_CHANNEL_CLOSED5: |
893 | case SSH_CHANNEL_AUTH_SOCKET6: |
894 | case SSH_CHANNEL_ZOMBIE14: |
895 | case SSH_CHANNEL_ABANDONED17: |
896 | case SSH_CHANNEL_MUX_LISTENER15: |
897 | case SSH_CHANNEL_UNIX_LISTENER18: |
898 | case SSH_CHANNEL_RUNIX_LISTENER19: |
899 | continue; |
900 | case SSH_CHANNEL_LARVAL10: |
901 | case SSH_CHANNEL_OPENING3: |
902 | case SSH_CHANNEL_CONNECTING12: |
903 | case SSH_CHANNEL_DYNAMIC13: |
904 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
905 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
906 | case SSH_CHANNEL_OPEN4: |
907 | case SSH_CHANNEL_X11_OPEN7: |
908 | case SSH_CHANNEL_MUX_PROXY20: |
909 | case SSH_CHANNEL_MUX_CLIENT16: |
910 | cp = channel_format_status(c); |
911 | if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n", |
912 | c->self, c->remote_name, cp)) != 0) { |
913 | free(cp); |
914 | fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 914 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf"); |
915 | } |
916 | free(cp); |
917 | continue; |
918 | default: |
919 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 919 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
920 | /* NOTREACHED */ |
921 | } |
922 | } |
923 | if ((ret = sshbuf_dup_string(buf)) == NULL((void *)0)) |
924 | fatal_f("sshbuf_dup_string")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 924 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_dup_string"); |
925 | sshbuf_free(buf); |
926 | return ret; |
927 | } |
928 | |
929 | static void |
930 | open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) |
931 | { |
932 | int r; |
933 | |
934 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN90)) != 0 || |
935 | (r = sshpkt_put_cstring(ssh, type)) != 0 || |
936 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
937 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
938 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { |
939 | fatal_r(r, "%s: channel %i: open", where, c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 939 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "%s: channel %i: open", where , c->self); |
940 | } |
941 | } |
942 | |
943 | void |
944 | channel_send_open(struct ssh *ssh, int id) |
945 | { |
946 | Channel *c = channel_lookup(ssh, id); |
947 | int r; |
948 | |
949 | if (c == NULL((void *)0)) { |
950 | logit("channel_send_open: %d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 950 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel_send_open: %d: bad id" , id); |
951 | return; |
952 | } |
953 | debug2("channel %d: send open", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 953 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: send open" , id); |
954 | open_preamble(ssh, __func__, c, c->ctype); |
955 | if ((r = sshpkt_send(ssh)) != 0) |
956 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 956 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
957 | } |
958 | |
959 | void |
960 | channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm) |
961 | { |
962 | Channel *c = channel_lookup(ssh, id); |
963 | int r; |
964 | |
965 | if (c == NULL((void *)0)) { |
966 | logit_f("%d: unknown channel id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 966 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown channel id" , id); |
967 | return; |
968 | } |
969 | if (!c->have_remote_id) |
970 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 970 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
971 | |
972 | debug2("channel %d: request %s confirm %d", id, service, wantconfirm)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 972 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: request %s confirm %d" , id, service, wantconfirm); |
973 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST98)) != 0 || |
974 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
975 | (r = sshpkt_put_cstring(ssh, service)) != 0 || |
976 | (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) { |
977 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 977 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
978 | } |
979 | } |
980 | |
981 | void |
982 | channel_register_status_confirm(struct ssh *ssh, int id, |
983 | channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx) |
984 | { |
985 | struct channel_confirm *cc; |
986 | Channel *c; |
987 | |
988 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) |
989 | fatal_f("%d: bad id", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 989 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%d: bad id", id); |
990 | |
991 | cc = xcalloc(1, sizeof(*cc)); |
992 | cc->cb = cb; |
993 | cc->abandon_cb = abandon_cb; |
994 | cc->ctx = ctx; |
995 | TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry)do { (cc)->entry.tqe_next = ((void *)0); (cc)->entry.tqe_prev = (&c->status_confirms)->tqh_last; *(&c->status_confirms )->tqh_last = (cc); (&c->status_confirms)->tqh_last = &(cc)->entry.tqe_next; } while (0); |
996 | } |
997 | |
998 | void |
999 | channel_register_open_confirm(struct ssh *ssh, int id, |
1000 | channel_open_fn *fn, void *ctx) |
1001 | { |
1002 | Channel *c = channel_lookup(ssh, id); |
1003 | |
1004 | if (c == NULL((void *)0)) { |
1005 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1005 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1006 | return; |
1007 | } |
1008 | c->open_confirm = fn; |
1009 | c->open_confirm_ctx = ctx; |
1010 | } |
1011 | |
1012 | void |
1013 | channel_register_cleanup(struct ssh *ssh, int id, |
1014 | channel_callback_fn *fn, int do_close) |
1015 | { |
1016 | Channel *c = channel_by_id(ssh, id); |
1017 | |
1018 | if (c == NULL((void *)0)) { |
1019 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1019 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1020 | return; |
1021 | } |
1022 | c->detach_user = fn; |
1023 | c->detach_close = do_close; |
1024 | } |
1025 | |
1026 | void |
1027 | channel_cancel_cleanup(struct ssh *ssh, int id) |
1028 | { |
1029 | Channel *c = channel_by_id(ssh, id); |
1030 | |
1031 | if (c == NULL((void *)0)) { |
1032 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1032 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1033 | return; |
1034 | } |
1035 | c->detach_user = NULL((void *)0); |
1036 | c->detach_close = 0; |
1037 | } |
1038 | |
1039 | void |
1040 | channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn, |
1041 | channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) |
1042 | { |
1043 | Channel *c = channel_lookup(ssh, id); |
1044 | |
1045 | if (c == NULL((void *)0)) { |
1046 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1046 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1047 | return; |
1048 | } |
1049 | c->input_filter = ifn; |
1050 | c->output_filter = ofn; |
1051 | c->filter_ctx = ctx; |
1052 | c->filter_cleanup = cfn; |
1053 | } |
1054 | |
1055 | void |
1056 | channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd, |
1057 | int extusage, int nonblock, int is_tty, u_int window_max) |
1058 | { |
1059 | Channel *c = channel_lookup(ssh, id); |
1060 | int r; |
1061 | |
1062 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_LARVAL10) |
1063 | fatal("channel_activate for non-larval channel %d.", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1063 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel_activate for non-larval channel %d." , id); |
1064 | if (!c->have_remote_id) |
1065 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1065 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
1066 | |
1067 | channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty); |
1068 | c->type = SSH_CHANNEL_OPEN4; |
1069 | c->local_window = c->local_window_max = window_max; |
1070 | |
1071 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 || |
1072 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1073 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
1074 | (r = sshpkt_send(ssh)) != 0) |
1075 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1075 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
1076 | } |
1077 | |
1078 | static void |
1079 | channel_pre_listener(struct ssh *ssh, Channel *c) |
1080 | { |
1081 | c->io_want = SSH_CHAN_IO_SOCK_R0x10; |
1082 | } |
1083 | |
1084 | static void |
1085 | channel_pre_connecting(struct ssh *ssh, Channel *c) |
1086 | { |
1087 | debug3("channel %d: waiting for connection", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1087 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: waiting for connection" , c->self); |
1088 | c->io_want = SSH_CHAN_IO_SOCK_W0x20; |
1089 | } |
1090 | |
1091 | static void |
1092 | channel_pre_open(struct ssh *ssh, Channel *c) |
1093 | { |
1094 | c->io_want = 0; |
1095 | if (c->istate == CHAN_INPUT_OPEN0 && |
1096 | c->remote_window > 0 && |
1097 | sshbuf_len(c->input) < c->remote_window && |
1098 | sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0) |
1099 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1100 | if (c->ostate == CHAN_OUTPUT_OPEN0 || |
1101 | c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1102 | if (sshbuf_len(c->output) > 0) { |
1103 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1104 | } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1105 | if (CHANNEL_EFD_OUTPUT_ACTIVE(c)(c->extended_usage == 2 && c->efd != -1 && (!(c->flags & (0x08|0x02)) || sshbuf_len(c->extended ) > 0))) |
1106 | debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1108 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
1107 | "obuf_empty delayed efd %d/(%zu)", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1108 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
1108 | c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1108 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)); |
1109 | else |
1110 | chan_obuf_empty(ssh, c); |
1111 | } |
1112 | } |
1113 | /** XXX check close conditions, too */ |
1114 | if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED3 && |
1115 | c->ostate == CHAN_OUTPUT_CLOSED3)) { |
1116 | if (c->extended_usage == CHAN_EXTENDED_WRITE2 && |
1117 | sshbuf_len(c->extended) > 0) |
1118 | c->io_want |= SSH_CHAN_IO_EFD_W0x08; |
1119 | else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT0x04) && |
1120 | (c->extended_usage == CHAN_EXTENDED_READ1 || |
1121 | c->extended_usage == CHAN_EXTENDED_IGNORE0) && |
1122 | sshbuf_len(c->extended) < c->remote_window) |
1123 | c->io_want |= SSH_CHAN_IO_EFD_R0x04; |
1124 | } |
1125 | /* XXX: What about efd? races? */ |
1126 | } |
1127 | |
1128 | /* |
1129 | * This is a special state for X11 authentication spoofing. An opened X11 |
1130 | * connection (when authentication spoofing is being done) remains in this |
1131 | * state until the first packet has been completely read. The authentication |
1132 | * data in that packet is then substituted by the real data if it matches the |
1133 | * fake data, and the channel is put into normal mode. |
1134 | * XXX All this happens at the client side. |
1135 | * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok |
1136 | */ |
1137 | static int |
1138 | x11_open_helper(struct ssh *ssh, struct sshbuf *b) |
1139 | { |
1140 | struct ssh_channels *sc = ssh->chanctxt; |
1141 | u_char *ucp; |
1142 | u_int proto_len, data_len; |
1143 | |
1144 | /* Is this being called after the refusal deadline? */ |
1145 | if (sc->x11_refuse_time != 0 && |
1146 | (u_int)monotime() >= sc->x11_refuse_time) { |
1147 | verbose("Rejected X11 connection after ForwardX11Timeout "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1148 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired") |
1148 | "expired")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1148 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired"); |
1149 | return -1; |
1150 | } |
1151 | |
1152 | /* Check if the fixed size part of the packet is in buffer. */ |
1153 | if (sshbuf_len(b) < 12) |
1154 | return 0; |
1155 | |
1156 | /* Parse the lengths of variable-length fields. */ |
1157 | ucp = sshbuf_mutable_ptr(b); |
1158 | if (ucp[0] == 0x42) { /* Byte order MSB first. */ |
1159 | proto_len = 256 * ucp[6] + ucp[7]; |
1160 | data_len = 256 * ucp[8] + ucp[9]; |
1161 | } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ |
1162 | proto_len = ucp[6] + 256 * ucp[7]; |
1163 | data_len = ucp[8] + 256 * ucp[9]; |
1164 | } else { |
1165 | debug2("Initial X11 packet contains bad byte order byte: 0x%x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1166 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0]) |
1166 | ucp[0])sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1166 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0]); |
1167 | return -1; |
1168 | } |
1169 | |
1170 | /* Check if the whole packet is in buffer. */ |
1171 | if (sshbuf_len(b) < |
1172 | 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) |
1173 | return 0; |
1174 | |
1175 | /* Check if authentication protocol matches. */ |
1176 | if (proto_len != strlen(sc->x11_saved_proto) || |
1177 | memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) { |
1178 | debug2("X11 connection uses different authentication protocol.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1178 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 connection uses different authentication protocol." ); |
1179 | return -1; |
1180 | } |
1181 | /* Check if authentication data matches our fake data. */ |
1182 | if (data_len != sc->x11_fake_data_len || |
1183 | timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), |
1184 | sc->x11_fake_data, sc->x11_fake_data_len) != 0) { |
1185 | debug2("X11 auth data does not match fake data.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1185 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 auth data does not match fake data." ); |
1186 | return -1; |
1187 | } |
1188 | /* Check fake data length */ |
1189 | if (sc->x11_fake_data_len != sc->x11_saved_data_len) { |
1190 | error("X11 fake_data_len %d != saved_data_len %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1191 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len) |
1191 | sc->x11_fake_data_len, sc->x11_saved_data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1191 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len); |
1192 | return -1; |
1193 | } |
1194 | /* |
1195 | * Received authentication protocol and data match |
1196 | * our fake data. Substitute the fake data with real |
1197 | * data. |
1198 | */ |
1199 | memcpy(ucp + 12 + ((proto_len + 3) & ~3), |
1200 | sc->x11_saved_data, sc->x11_saved_data_len); |
1201 | return 1; |
1202 | } |
1203 | |
1204 | static void |
1205 | channel_pre_x11_open(struct ssh *ssh, Channel *c) |
1206 | { |
1207 | int ret = x11_open_helper(ssh, c->output); |
1208 | |
1209 | /* c->force_drain = 1; */ |
1210 | |
1211 | if (ret == 1) { |
1212 | c->type = SSH_CHANNEL_OPEN4; |
1213 | channel_pre_open(ssh, c); |
1214 | } else if (ret == -1) { |
1215 | logit("X11 connection rejected because of wrong authentication.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1215 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "X11 connection rejected because of wrong authentication." ); |
1216 | debug2("X11 rejected %d i%d/o%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1217 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate) |
1217 | c->self, c->istate, c->ostate)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1217 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate); |
1218 | chan_read_failed(ssh, c); |
1219 | sshbuf_reset(c->input); |
1220 | chan_ibuf_empty(ssh, c); |
1221 | sshbuf_reset(c->output); |
1222 | chan_write_failed(ssh, c); |
1223 | debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1223 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 closed %d i%d/o%d" , c->self, c->istate, c->ostate); |
1224 | } |
1225 | } |
1226 | |
1227 | static void |
1228 | channel_pre_mux_client(struct ssh *ssh, Channel *c) |
1229 | { |
1230 | c->io_want = 0; |
1231 | if (c->istate == CHAN_INPUT_OPEN0 && !c->mux_pause && |
1232 | sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0) |
1233 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1234 | if (c->istate == CHAN_INPUT_WAIT_DRAIN1) { |
1235 | /* clear buffer immediately (discard any partial packet) */ |
1236 | sshbuf_reset(c->input); |
1237 | chan_ibuf_empty(ssh, c); |
1238 | /* Start output drain. XXX just kill chan? */ |
1239 | chan_rcvd_oclose(ssh, c); |
1240 | } |
1241 | if (c->ostate == CHAN_OUTPUT_OPEN0 || |
1242 | c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1243 | if (sshbuf_len(c->output) > 0) |
1244 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1245 | else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) |
1246 | chan_obuf_empty(ssh, c); |
1247 | } |
1248 | } |
1249 | |
1250 | /* try to decode a socks4 header */ |
1251 | static int |
1252 | channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) |
1253 | { |
1254 | const u_char *p; |
1255 | char *host; |
1256 | u_int len, have, i, found, need; |
1257 | char username[256]; |
1258 | struct { |
1259 | u_int8_t version; |
1260 | u_int8_t command; |
1261 | u_int16_t dest_port; |
1262 | struct in_addr dest_addr; |
1263 | } s4_req, s4_rsp; |
1264 | int r; |
1265 | |
1266 | debug2("channel %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1266 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4" , c->self); |
1267 | |
1268 | have = sshbuf_len(input); |
1269 | len = sizeof(s4_req); |
1270 | if (have < len) |
1271 | return 0; |
1272 | p = sshbuf_ptr(input); |
1273 | |
1274 | need = 1; |
1275 | /* SOCKS4A uses an invalid IP address 0.0.0.x */ |
1276 | if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { |
1277 | debug2("channel %d: socks4a request", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1277 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks4a request" , c->self); |
1278 | /* ... and needs an extra string (the hostname) */ |
1279 | need = 2; |
1280 | } |
1281 | /* Check for terminating NUL on the string(s) */ |
1282 | for (found = 0, i = len; i < have; i++) { |
1283 | if (p[i] == '\0') { |
1284 | found++; |
1285 | if (found == need) |
1286 | break; |
1287 | } |
1288 | if (i > 1024) { |
1289 | /* the peer is probably sending garbage */ |
1290 | debug("channel %d: decode socks4: too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1291 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self) |
1291 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1291 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self); |
1292 | return -1; |
1293 | } |
1294 | } |
1295 | if (found < need) |
1296 | return 0; |
1297 | if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || |
1298 | (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || |
1299 | (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || |
1300 | (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { |
1301 | debug_r(r, "channels %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1301 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channels %d: decode socks4" , c->self); |
1302 | return -1; |
1303 | } |
1304 | have = sshbuf_len(input); |
1305 | p = sshbuf_ptr(input); |
1306 | if (memchr(p, '\0', have) == NULL((void *)0)) { |
1307 | error("channel %d: decode socks4: unterminated user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1307 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4: unterminated user" , c->self); |
1308 | return -1; |
1309 | } |
1310 | len = strlen(p); |
1311 | debug2("channel %d: decode socks4: user %s/%d", c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1311 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4: user %s/%d" , c->self, p, len); |
1312 | len++; /* trailing '\0' */ |
1313 | strlcpy(username, p, sizeof(username)); |
1314 | if ((r = sshbuf_consume(input, len)) != 0) |
1315 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1315 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1316 | free(c->path); |
1317 | c->path = NULL((void *)0); |
1318 | if (need == 1) { /* SOCKS4: one string */ |
1319 | host = inet_ntoa(s4_req.dest_addr); |
1320 | c->path = xstrdup(host); |
1321 | } else { /* SOCKS4A: two strings */ |
1322 | have = sshbuf_len(input); |
1323 | p = sshbuf_ptr(input); |
1324 | if (memchr(p, '\0', have) == NULL((void *)0)) { |
1325 | error("channel %d: decode socks4a: host not nul "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1326 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self) |
1326 | "terminated", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1326 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self); |
1327 | return -1; |
1328 | } |
1329 | len = strlen(p); |
1330 | debug2("channel %d: decode socks4a: host %s/%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1331 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len) |
1331 | c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1331 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len); |
1332 | len++; /* trailing '\0' */ |
1333 | if (len > NI_MAXHOST256) { |
1334 | error("channel %d: hostname \"%.100s\" too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1335 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p) |
1335 | c->self, p)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1335 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p); |
1336 | return -1; |
1337 | } |
1338 | c->path = xstrdup(p); |
1339 | if ((r = sshbuf_consume(input, len)) != 0) |
1340 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1340 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1341 | } |
1342 | c->host_port = ntohs(s4_req.dest_port)(__uint16_t)(__builtin_constant_p(s4_req.dest_port) ? (__uint16_t )(((__uint16_t)(s4_req.dest_port) & 0xffU) << 8 | ( (__uint16_t)(s4_req.dest_port) & 0xff00U) >> 8) : __swap16md (s4_req.dest_port)); |
1343 | |
1344 | debug2("channel %d: dynamic request: socks4 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1345 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command) |
1345 | c->self, c->path, c->host_port, s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1345 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command); |
1346 | |
1347 | if (s4_req.command != 1) { |
1348 | debug("channel %d: cannot handle: %s cn %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1349 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command ) |
1349 | c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1349 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command ); |
1350 | return -1; |
1351 | } |
1352 | s4_rsp.version = 0; /* vn: 0 for reply */ |
1353 | s4_rsp.command = 90; /* cd: req granted */ |
1354 | s4_rsp.dest_port = 0; /* ignored */ |
1355 | s4_rsp.dest_addr.s_addr = INADDR_ANY((u_int32_t)(0x00000000)); /* ignored */ |
1356 | if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) |
1357 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1357 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1358 | return 1; |
1359 | } |
1360 | |
1361 | /* try to decode a socks5 header */ |
1362 | #define SSH_SOCKS5_AUTHDONE0x1000 0x1000 |
1363 | #define SSH_SOCKS5_NOAUTH0x00 0x00 |
1364 | #define SSH_SOCKS5_IPV40x01 0x01 |
1365 | #define SSH_SOCKS5_DOMAIN0x03 0x03 |
1366 | #define SSH_SOCKS5_IPV60x04 0x04 |
1367 | #define SSH_SOCKS5_CONNECT0x01 0x01 |
1368 | #define SSH_SOCKS5_SUCCESS0x00 0x00 |
1369 | |
1370 | static int |
1371 | channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) |
1372 | { |
1373 | /* XXX use get/put_u8 instead of trusting struct padding */ |
1374 | struct { |
1375 | u_int8_t version; |
1376 | u_int8_t command; |
1377 | u_int8_t reserved; |
1378 | u_int8_t atyp; |
1379 | } s5_req, s5_rsp; |
1380 | u_int16_t dest_port; |
1381 | char dest_addr[255+1], ntop[INET6_ADDRSTRLEN46]; |
1382 | const u_char *p; |
1383 | u_int have, need, i, found, nmethods, addrlen, af; |
1384 | int r; |
1385 | |
1386 | debug2("channel %d: decode socks5", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1386 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks5" , c->self); |
1387 | p = sshbuf_ptr(input); |
1388 | if (p[0] != 0x05) |
1389 | return -1; |
1390 | have = sshbuf_len(input); |
1391 | if (!(c->flags & SSH_SOCKS5_AUTHDONE0x1000)) { |
1392 | /* format: ver | nmethods | methods */ |
1393 | if (have < 2) |
1394 | return 0; |
1395 | nmethods = p[1]; |
1396 | if (have < nmethods + 2) |
1397 | return 0; |
1398 | /* look for method: "NO AUTHENTICATION REQUIRED" */ |
1399 | for (found = 0, i = 2; i < nmethods + 2; i++) { |
1400 | if (p[i] == SSH_SOCKS5_NOAUTH0x00) { |
1401 | found = 1; |
1402 | break; |
1403 | } |
1404 | } |
1405 | if (!found) { |
1406 | debug("channel %d: method SSH_SOCKS5_NOAUTH not found",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self) |
1407 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self); |
1408 | return -1; |
1409 | } |
1410 | if ((r = sshbuf_consume(input, nmethods + 2)) != 0) |
1411 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1411 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1412 | /* version, method */ |
1413 | if ((r = sshbuf_put_u8(output, 0x05)) != 0 || |
1414 | (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH0x00)) != 0) |
1415 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1415 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1416 | c->flags |= SSH_SOCKS5_AUTHDONE0x1000; |
1417 | debug2("channel %d: socks5 auth done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1417 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 auth done" , c->self); |
1418 | return 0; /* need more */ |
1419 | } |
1420 | debug2("channel %d: socks5 post auth", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1420 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 post auth" , c->self); |
1421 | if (have < sizeof(s5_req)+1) |
1422 | return 0; /* need more */ |
1423 | memcpy(&s5_req, p, sizeof(s5_req)); |
1424 | if (s5_req.version != 0x05 || |
1425 | s5_req.command != SSH_SOCKS5_CONNECT0x01 || |
1426 | s5_req.reserved != 0x00) { |
1427 | debug2("channel %d: only socks5 connect supported", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1427 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: only socks5 connect supported" , c->self); |
1428 | return -1; |
1429 | } |
1430 | switch (s5_req.atyp){ |
1431 | case SSH_SOCKS5_IPV40x01: |
1432 | addrlen = 4; |
1433 | af = AF_INET2; |
1434 | break; |
1435 | case SSH_SOCKS5_DOMAIN0x03: |
1436 | addrlen = p[sizeof(s5_req)]; |
1437 | af = -1; |
1438 | break; |
1439 | case SSH_SOCKS5_IPV60x04: |
1440 | addrlen = 16; |
1441 | af = AF_INET624; |
1442 | break; |
1443 | default: |
1444 | debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1444 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: bad socks5 atyp %d" , c->self, s5_req.atyp); |
1445 | return -1; |
1446 | } |
1447 | need = sizeof(s5_req) + addrlen + 2; |
1448 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) |
1449 | need++; |
1450 | if (have < need) |
1451 | return 0; |
1452 | if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) |
1453 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1453 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1454 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) { |
1455 | /* host string length */ |
1456 | if ((r = sshbuf_consume(input, 1)) != 0) |
1457 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1457 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1458 | } |
1459 | if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || |
1460 | (r = sshbuf_get(input, &dest_port, 2)) != 0) { |
1461 | debug_r(r, "channel %d: parse addr/port", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1461 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channel %d: parse addr/port" , c->self); |
1462 | return -1; |
1463 | } |
1464 | dest_addr[addrlen] = '\0'; |
1465 | free(c->path); |
1466 | c->path = NULL((void *)0); |
1467 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) { |
1468 | if (addrlen >= NI_MAXHOST256) { |
1469 | error("channel %d: dynamic request: socks5 hostname "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1470 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr) |
1470 | "\"%.100s\" too long", c->self, dest_addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1470 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr); |
1471 | return -1; |
1472 | } |
1473 | c->path = xstrdup(dest_addr); |
1474 | } else { |
1475 | if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL((void *)0)) |
1476 | return -1; |
1477 | c->path = xstrdup(ntop); |
1478 | } |
1479 | c->host_port = ntohs(dest_port)(__uint16_t)(__builtin_constant_p(dest_port) ? (__uint16_t)(( (__uint16_t)(dest_port) & 0xffU) << 8 | ((__uint16_t )(dest_port) & 0xff00U) >> 8) : __swap16md(dest_port )); |
1480 | |
1481 | debug2("channel %d: dynamic request: socks5 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1482 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command) |
1482 | c->self, c->path, c->host_port, s5_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1482 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command); |
1483 | |
1484 | s5_rsp.version = 0x05; |
1485 | s5_rsp.command = SSH_SOCKS5_SUCCESS0x00; |
1486 | s5_rsp.reserved = 0; /* ignored */ |
1487 | s5_rsp.atyp = SSH_SOCKS5_IPV40x01; |
1488 | dest_port = 0; /* ignored */ |
1489 | |
1490 | if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || |
1491 | (r = sshbuf_put_u32(output, ntohl(INADDR_ANY)(__uint32_t)(__builtin_constant_p(((u_int32_t)(0x00000000))) ? (__uint32_t)(((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff ) << 24 | ((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff00) << 8 | ((__uint32_t)(((u_int32_t)(0x00000000)) ) & 0xff0000) >> 8 | ((__uint32_t)(((u_int32_t)(0x00000000 ))) & 0xff000000) >> 24) : __swap32md(((u_int32_t)( 0x00000000)))))) != 0 || |
1492 | (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) |
1493 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1493 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1494 | return 1; |
1495 | } |
1496 | |
1497 | Channel * |
1498 | channel_connect_stdio_fwd(struct ssh *ssh, |
1499 | const char *host_to_connect, u_short port_to_connect, |
1500 | int in, int out, int nonblock) |
1501 | { |
1502 | Channel *c; |
1503 | |
1504 | debug_f("%s:%d", host_to_connect, port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1504 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s:%d", host_to_connect , port_to_connect); |
1505 | |
1506 | c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING3, in, out, |
1507 | -1, CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
1508 | 0, "stdio-forward", nonblock); |
1509 | |
1510 | c->path = xstrdup(host_to_connect); |
1511 | c->host_port = port_to_connect; |
1512 | c->listening_port = 0; |
1513 | c->force_drain = 1; |
1514 | |
1515 | channel_register_fds(ssh, c, in, out, -1, 0, 1, 0); |
1516 | port_open_helper(ssh, c, "direct-tcpip"); |
1517 | |
1518 | return c; |
1519 | } |
1520 | |
1521 | /* dynamic port forwarding */ |
1522 | static void |
1523 | channel_pre_dynamic(struct ssh *ssh, Channel *c) |
1524 | { |
1525 | const u_char *p; |
1526 | u_int have; |
1527 | int ret; |
1528 | |
1529 | c->io_want = 0; |
1530 | have = sshbuf_len(c->input); |
1531 | debug2("channel %d: pre_dynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1531 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: have %d" , c->self, have); |
1532 | /* sshbuf_dump(c->input, stderr); */ |
1533 | /* check if the fixed size part of the packet is in buffer. */ |
1534 | if (have < 3) { |
1535 | /* need more */ |
1536 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1537 | return; |
1538 | } |
1539 | /* try to guess the protocol */ |
1540 | p = sshbuf_ptr(c->input); |
1541 | /* XXX sshbuf_peek_u8? */ |
1542 | switch (p[0]) { |
1543 | case 0x04: |
1544 | ret = channel_decode_socks4(c, c->input, c->output); |
1545 | break; |
1546 | case 0x05: |
1547 | ret = channel_decode_socks5(c, c->input, c->output); |
1548 | break; |
1549 | default: |
1550 | ret = -1; |
1551 | break; |
1552 | } |
1553 | if (ret < 0) { |
1554 | chan_mark_dead(ssh, c); |
1555 | } else if (ret == 0) { |
1556 | debug2("channel %d: pre_dynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1556 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: need more" , c->self); |
1557 | /* need more */ |
1558 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1559 | if (sshbuf_len(c->output)) |
1560 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1561 | } else { |
1562 | /* switch to the next state */ |
1563 | c->type = SSH_CHANNEL_OPENING3; |
1564 | port_open_helper(ssh, c, "direct-tcpip"); |
1565 | } |
1566 | } |
1567 | |
1568 | /* simulate read-error */ |
1569 | static void |
1570 | rdynamic_close(struct ssh *ssh, Channel *c) |
1571 | { |
1572 | c->type = SSH_CHANNEL_OPEN4; |
1573 | chan_read_failed(ssh, c); |
1574 | sshbuf_reset(c->input); |
1575 | chan_ibuf_empty(ssh, c); |
1576 | sshbuf_reset(c->output); |
1577 | chan_write_failed(ssh, c); |
1578 | } |
1579 | |
1580 | /* reverse dynamic port forwarding */ |
1581 | static void |
1582 | channel_before_prepare_io_rdynamic(struct ssh *ssh, Channel *c) |
1583 | { |
1584 | const u_char *p; |
1585 | u_int have, len; |
1586 | int r, ret; |
1587 | |
1588 | have = sshbuf_len(c->output); |
1589 | debug2("channel %d: pre_rdynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1589 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: have %d" , c->self, have); |
1590 | /* sshbuf_dump(c->output, stderr); */ |
1591 | /* EOF received */ |
1592 | if (c->flags & CHAN_EOF_RCVD0x08) { |
1593 | if ((r = sshbuf_consume(c->output, have)) != 0) |
1594 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1594 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1595 | rdynamic_close(ssh, c); |
1596 | return; |
1597 | } |
1598 | /* check if the fixed size part of the packet is in buffer. */ |
1599 | if (have < 3) |
1600 | return; |
1601 | /* try to guess the protocol */ |
1602 | p = sshbuf_ptr(c->output); |
1603 | switch (p[0]) { |
1604 | case 0x04: |
1605 | /* switch input/output for reverse forwarding */ |
1606 | ret = channel_decode_socks4(c, c->output, c->input); |
1607 | break; |
1608 | case 0x05: |
1609 | ret = channel_decode_socks5(c, c->output, c->input); |
1610 | break; |
1611 | default: |
1612 | ret = -1; |
1613 | break; |
1614 | } |
1615 | if (ret < 0) { |
1616 | rdynamic_close(ssh, c); |
1617 | } else if (ret == 0) { |
1618 | debug2("channel %d: pre_rdynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1618 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: need more" , c->self); |
1619 | /* send socks request to peer */ |
1620 | len = sshbuf_len(c->input); |
1621 | if (len > 0 && len < c->remote_window) { |
1622 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
1623 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1624 | (r = sshpkt_put_stringb(ssh, c->input)) != 0 || |
1625 | (r = sshpkt_send(ssh)) != 0) { |
1626 | fatal_fr(r, "channel %i: rdynamic", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1626 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: rdynamic", c ->self); |
1627 | } |
1628 | if ((r = sshbuf_consume(c->input, len)) != 0) |
1629 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1629 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1630 | c->remote_window -= len; |
1631 | } |
1632 | } else if (rdynamic_connect_finish(ssh, c) < 0) { |
1633 | /* the connect failed */ |
1634 | rdynamic_close(ssh, c); |
1635 | } |
1636 | } |
1637 | |
1638 | /* This is our fake X11 server socket. */ |
1639 | static void |
1640 | channel_post_x11_listener(struct ssh *ssh, Channel *c) |
1641 | { |
1642 | Channel *nc; |
1643 | struct sockaddr_storage addr; |
1644 | int r, newsock, oerrno, remote_port; |
1645 | socklen_t addrlen; |
1646 | char buf[16384], *remote_ipaddr; |
1647 | |
1648 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
1649 | return; |
1650 | |
1651 | debug("X11 connection requested.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1651 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "X11 connection requested." ); |
1652 | addrlen = sizeof(addr); |
1653 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
1654 | if (c->single_connection) { |
1655 | oerrno = errno(*__errno()); |
1656 | debug2("single_connection: closing X11 listener.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1656 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "single_connection: closing X11 listener." ); |
1657 | channel_close_fd(ssh, c, &c->sock); |
1658 | chan_mark_dead(ssh, c); |
1659 | errno(*__errno()) = oerrno; |
1660 | } |
1661 | if (newsock == -1) { |
1662 | if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EWOULDBLOCK35 && |
1663 | errno(*__errno()) != ECONNABORTED53) |
1664 | error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1664 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %.100s", strerror ((*__errno()))); |
1665 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
1666 | c->notbefore = monotime() + 1; |
1667 | return; |
1668 | } |
1669 | set_nodelay(newsock); |
1670 | remote_ipaddr = get_peer_ipaddr(newsock); |
1671 | remote_port = get_peer_port(newsock); |
1672 | snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", |
1673 | remote_ipaddr, remote_port); |
1674 | |
1675 | nc = channel_new(ssh, "accepted x11 socket", |
1676 | SSH_CHANNEL_OPENING3, newsock, newsock, -1, |
1677 | c->local_window_max, c->local_maxpacket, 0, buf, 1); |
1678 | open_preamble(ssh, __func__, nc, "x11"); |
1679 | if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || |
1680 | (r = sshpkt_put_u32(ssh, remote_port)) != 0) { |
1681 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1681 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1682 | } |
1683 | if ((r = sshpkt_send(ssh)) != 0) |
1684 | fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1684 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self); |
1685 | free(remote_ipaddr); |
1686 | } |
1687 | |
1688 | static void |
1689 | port_open_helper(struct ssh *ssh, Channel *c, char *rtype) |
1690 | { |
1691 | char *local_ipaddr = get_local_ipaddr(c->sock); |
1692 | int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); |
1693 | char *remote_ipaddr = get_peer_ipaddr(c->sock); |
1694 | int remote_port = get_peer_port(c->sock); |
1695 | int r; |
1696 | |
1697 | if (remote_port == -1) { |
1698 | /* Fake addr/port to appease peers that validate it (Tectia) */ |
1699 | free(remote_ipaddr); |
1700 | remote_ipaddr = xstrdup("127.0.0.1"); |
1701 | remote_port = 65535; |
1702 | } |
1703 | |
1704 | free(c->remote_name); |
1705 | xasprintf(&c->remote_name, |
1706 | "%s: listening port %d for %.100s port %d, " |
1707 | "connect from %.200s port %d to %.100s port %d", |
1708 | rtype, c->listening_port, c->path, c->host_port, |
1709 | remote_ipaddr, remote_port, local_ipaddr, local_port); |
1710 | |
1711 | open_preamble(ssh, __func__, c, rtype); |
1712 | if (strcmp(rtype, "direct-tcpip") == 0) { |
1713 | /* target host, port */ |
1714 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || |
1715 | (r = sshpkt_put_u32(ssh, c->host_port)) != 0) |
1716 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1716 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1717 | } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { |
1718 | /* target path */ |
1719 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) |
1720 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1720 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1721 | } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { |
1722 | /* listen path */ |
1723 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) |
1724 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1724 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1725 | } else { |
1726 | /* listen address, port */ |
1727 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || |
1728 | (r = sshpkt_put_u32(ssh, local_port)) != 0) |
1729 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1729 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1730 | } |
1731 | if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { |
1732 | /* reserved for future owner/mode info */ |
1733 | if ((r = sshpkt_put_cstring(ssh, "")) != 0) |
1734 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1734 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1735 | } else { |
1736 | /* originator host and port */ |
1737 | if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || |
1738 | (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) |
1739 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1739 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1740 | } |
1741 | if ((r = sshpkt_send(ssh)) != 0) |
1742 | fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1742 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self); |
1743 | free(remote_ipaddr); |
1744 | free(local_ipaddr); |
1745 | } |
1746 | |
1747 | void |
1748 | channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time) |
1749 | { |
1750 | ssh->chanctxt->x11_refuse_time = refuse_time; |
1751 | } |
1752 | |
1753 | /* |
1754 | * This socket is listening for connections to a forwarded TCP/IP port. |
1755 | */ |
1756 | static void |
1757 | channel_post_port_listener(struct ssh *ssh, Channel *c) |
1758 | { |
1759 | Channel *nc; |
1760 | struct sockaddr_storage addr; |
1761 | int newsock, nextstate; |
1762 | socklen_t addrlen; |
1763 | char *rtype; |
1764 | |
1765 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
1766 | return; |
1767 | |
1768 | debug("Connection to port %d forwarding to %.100s port %d requested.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1769 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port) |
1769 | c->listening_port, c->path, c->host_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1769 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port); |
1770 | |
1771 | if (c->type == SSH_CHANNEL_RPORT_LISTENER11) { |
1772 | nextstate = SSH_CHANNEL_OPENING3; |
1773 | rtype = "forwarded-tcpip"; |
1774 | } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER19) { |
1775 | nextstate = SSH_CHANNEL_OPENING3; |
1776 | rtype = "forwarded-streamlocal@openssh.com"; |
1777 | } else if (c->host_port == PORT_STREAMLOCAL-2) { |
1778 | nextstate = SSH_CHANNEL_OPENING3; |
1779 | rtype = "direct-streamlocal@openssh.com"; |
1780 | } else if (c->host_port == 0) { |
1781 | nextstate = SSH_CHANNEL_DYNAMIC13; |
1782 | rtype = "dynamic-tcpip"; |
1783 | } else { |
1784 | nextstate = SSH_CHANNEL_OPENING3; |
1785 | rtype = "direct-tcpip"; |
1786 | } |
1787 | |
1788 | addrlen = sizeof(addr); |
1789 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
1790 | if (newsock == -1) { |
1791 | if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EWOULDBLOCK35 && |
1792 | errno(*__errno()) != ECONNABORTED53) |
1793 | error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1793 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %.100s", strerror ((*__errno()))); |
1794 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
1795 | c->notbefore = monotime() + 1; |
1796 | return; |
1797 | } |
1798 | if (c->host_port != PORT_STREAMLOCAL-2) |
1799 | set_nodelay(newsock); |
1800 | nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1, |
1801 | c->local_window_max, c->local_maxpacket, 0, rtype, 1); |
1802 | nc->listening_port = c->listening_port; |
1803 | nc->host_port = c->host_port; |
1804 | if (c->path != NULL((void *)0)) |
1805 | nc->path = xstrdup(c->path); |
1806 | |
1807 | if (nextstate != SSH_CHANNEL_DYNAMIC13) |
1808 | port_open_helper(ssh, nc, rtype); |
1809 | } |
1810 | |
1811 | /* |
1812 | * This is the authentication agent socket listening for connections from |
1813 | * clients. |
1814 | */ |
1815 | static void |
1816 | channel_post_auth_listener(struct ssh *ssh, Channel *c) |
1817 | { |
1818 | Channel *nc; |
1819 | int r, newsock; |
1820 | struct sockaddr_storage addr; |
1821 | socklen_t addrlen; |
1822 | |
1823 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
1824 | return; |
1825 | |
1826 | addrlen = sizeof(addr); |
1827 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
1828 | if (newsock == -1) { |
1829 | error("accept from auth socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1829 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept from auth socket: %.100s" , strerror((*__errno()))); |
1830 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
1831 | c->notbefore = monotime() + 1; |
1832 | return; |
1833 | } |
1834 | nc = channel_new(ssh, "accepted auth socket", |
1835 | SSH_CHANNEL_OPENING3, newsock, newsock, -1, |
1836 | c->local_window_max, c->local_maxpacket, |
1837 | 0, "accepted auth socket", 1); |
1838 | open_preamble(ssh, __func__, nc, "auth-agent@openssh.com"); |
1839 | if ((r = sshpkt_send(ssh)) != 0) |
1840 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1840 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
1841 | } |
1842 | |
1843 | static void |
1844 | channel_post_connecting(struct ssh *ssh, Channel *c) |
1845 | { |
1846 | int err = 0, sock, isopen, r; |
1847 | socklen_t sz = sizeof(err); |
1848 | |
1849 | if ((c->io_ready & SSH_CHAN_IO_SOCK_W0x20) == 0) |
1850 | return; |
1851 | if (!c->have_remote_id) |
1852 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1852 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
1853 | /* for rdynamic the OPEN_CONFIRMATION has been sent already */ |
1854 | isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH22); |
1855 | if (getsockopt(c->sock, SOL_SOCKET0xffff, SO_ERROR0x1007, &err, &sz) == -1) { |
1856 | err = errno(*__errno()); |
1857 | error("getsockopt SO_ERROR failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1857 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getsockopt SO_ERROR failed" ); |
1858 | } |
1859 | if (err == 0) { |
1860 | debug("channel %d: connected to %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1861 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port) |
1861 | c->self, c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1861 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port); |
1862 | channel_connect_ctx_free(&c->connect_ctx); |
1863 | c->type = SSH_CHANNEL_OPEN4; |
1864 | if (isopen) { |
1865 | /* no message necessary */ |
1866 | } else { |
1867 | if ((r = sshpkt_start(ssh, |
1868 | SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 || |
1869 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1870 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
1871 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
1872 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 || |
1873 | (r = sshpkt_send(ssh)) != 0) |
1874 | fatal_fr(r, "channel %i open confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1874 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i open confirm" , c->self); |
1875 | } |
1876 | } else { |
1877 | debug("channel %d: connection failed: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1878 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connection failed: %s" , c->self, strerror(err)) |
1878 | c->self, strerror(err))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1878 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connection failed: %s" , c->self, strerror(err)); |
1879 | /* Try next address, if any */ |
1880 | if ((sock = connect_next(&c->connect_ctx)) > 0) { |
1881 | close(c->sock); |
1882 | c->sock = c->rfd = c->wfd = sock; |
1883 | return; |
1884 | } |
1885 | /* Exhausted all addresses */ |
1886 | error("connect_to %.100s port %d: failed.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1887 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port) |
1887 | c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1887 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port); |
1888 | channel_connect_ctx_free(&c->connect_ctx); |
1889 | if (isopen) { |
1890 | rdynamic_close(ssh, c); |
1891 | } else { |
1892 | if ((r = sshpkt_start(ssh, |
1893 | SSH2_MSG_CHANNEL_OPEN_FAILURE92)) != 0 || |
1894 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1895 | (r = sshpkt_put_u32(ssh, |
1896 | SSH2_OPEN_CONNECT_FAILED2)) != 0 || |
1897 | (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || |
1898 | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
1899 | (r = sshpkt_send(ssh)) != 0) |
1900 | fatal_fr(r, "channel %i: failure", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1900 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: failure", c ->self); |
1901 | chan_mark_dead(ssh, c); |
1902 | } |
1903 | } |
1904 | } |
1905 | |
1906 | static int |
1907 | channel_handle_rfd(struct ssh *ssh, Channel *c) |
1908 | { |
1909 | char buf[CHAN_RBUF(16*1024)]; |
1910 | ssize_t len; |
1911 | int r; |
1912 | |
1913 | if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0) |
1914 | return 1; |
1915 | |
1916 | len = read(c->rfd, buf, sizeof(buf)); |
1917 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
1918 | return 1; |
1919 | if (len <= 0) { |
1920 | debug2("channel %d: read<=0 rfd %d len %zd",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1921 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read<=0 rfd %d len %zd" , c->self, c->rfd, len) |
1921 | c->self, c->rfd, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1921 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read<=0 rfd %d len %zd" , c->self, c->rfd, len); |
1922 | if (c->type != SSH_CHANNEL_OPEN4) { |
1923 | debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1923 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self); |
1924 | chan_mark_dead(ssh, c); |
1925 | return -1; |
1926 | } else { |
1927 | chan_read_failed(ssh, c); |
1928 | } |
1929 | return -1; |
1930 | } |
1931 | if (c->input_filter != NULL((void *)0)) { |
1932 | if (c->input_filter(ssh, c, buf, len) == -1) { |
1933 | debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1933 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self); |
1934 | chan_read_failed(ssh, c); |
1935 | } |
1936 | } else if (c->datagram) { |
1937 | if ((r = sshbuf_put_string(c->input, buf, len)) != 0) |
1938 | fatal_fr(r, "channel %i: put datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1938 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: put datagram" , c->self); |
1939 | } else if ((r = sshbuf_put(c->input, buf, len)) != 0) |
1940 | fatal_fr(r, "channel %i: put data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1940 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: put data", c ->self); |
1941 | return 1; |
1942 | } |
1943 | |
1944 | static int |
1945 | channel_handle_wfd(struct ssh *ssh, Channel *c) |
1946 | { |
1947 | struct termios tio; |
1948 | u_char *data = NULL((void *)0), *buf; /* XXX const; need filter API change */ |
1949 | size_t dlen, olen = 0; |
1950 | int r, len; |
1951 | |
1952 | if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0) |
1953 | return 1; |
1954 | if (sshbuf_len(c->output) == 0) |
1955 | return 1; |
1956 | |
1957 | /* Send buffered output data to the socket. */ |
1958 | olen = sshbuf_len(c->output); |
1959 | if (c->output_filter != NULL((void *)0)) { |
1960 | if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL((void *)0)) { |
1961 | debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1961 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self); |
1962 | if (c->type != SSH_CHANNEL_OPEN4) |
1963 | chan_mark_dead(ssh, c); |
1964 | else |
1965 | chan_write_failed(ssh, c); |
1966 | return -1; |
1967 | } |
1968 | } else if (c->datagram) { |
1969 | if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0) |
1970 | fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1970 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self); |
1971 | buf = data; |
1972 | } else { |
1973 | buf = data = sshbuf_mutable_ptr(c->output); |
1974 | dlen = sshbuf_len(c->output); |
1975 | } |
1976 | |
1977 | if (c->datagram) { |
1978 | /* ignore truncated writes, datagrams might get lost */ |
1979 | len = write(c->wfd, buf, dlen); |
1980 | free(data); |
1981 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
1982 | return 1; |
1983 | if (len <= 0) |
1984 | goto write_fail; |
1985 | goto out; |
1986 | } |
1987 | |
1988 | len = write(c->wfd, buf, dlen); |
1989 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
1990 | return 1; |
1991 | if (len <= 0) { |
1992 | write_fail: |
1993 | if (c->type != SSH_CHANNEL_OPEN4) { |
1994 | debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1994 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self); |
1995 | chan_mark_dead(ssh, c); |
1996 | return -1; |
1997 | } else { |
1998 | chan_write_failed(ssh, c); |
1999 | } |
2000 | return -1; |
2001 | } |
2002 | if (c->isatty && dlen >= 1 && buf[0] != '\r') { |
2003 | if (tcgetattr(c->wfd, &tio) == 0 && |
2004 | !(tio.c_lflag & ECHO0x00000008) && (tio.c_lflag & ICANON0x00000100)) { |
2005 | /* |
2006 | * Simulate echo to reduce the impact of |
2007 | * traffic analysis. We need to match the |
2008 | * size of a SSH2_MSG_CHANNEL_DATA message |
2009 | * (4 byte channel id + buf) |
2010 | */ |
2011 | if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 || |
2012 | (r = sshpkt_send(ssh)) != 0) |
2013 | fatal_fr(r, "channel %i: ignore", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2013 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: ignore", c-> self); |
2014 | } |
2015 | } |
2016 | if ((r = sshbuf_consume(c->output, len)) != 0) |
2017 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2017 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2018 | out: |
2019 | c->local_consumed += olen - sshbuf_len(c->output); |
2020 | |
2021 | return 1; |
2022 | } |
2023 | |
2024 | static int |
2025 | channel_handle_efd_write(struct ssh *ssh, Channel *c) |
2026 | { |
2027 | int r; |
2028 | ssize_t len; |
2029 | |
2030 | if ((c->io_ready & SSH_CHAN_IO_EFD_W0x08) == 0) |
2031 | return 1; |
2032 | if (sshbuf_len(c->extended) == 0) |
2033 | return 1; |
2034 | |
2035 | len = write(c->efd, sshbuf_ptr(c->extended), |
2036 | sshbuf_len(c->extended)); |
2037 | debug2("channel %d: written %zd to efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2037 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: written %zd to efd %d" , c->self, len, c->efd); |
2038 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2039 | return 1; |
2040 | if (len <= 0) { |
2041 | debug2("channel %d: closing write-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2041 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing write-efd %d" , c->self, c->efd); |
2042 | channel_close_fd(ssh, c, &c->efd); |
2043 | } else { |
2044 | if ((r = sshbuf_consume(c->extended, len)) != 0) |
2045 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2045 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2046 | c->local_consumed += len; |
2047 | } |
2048 | return 1; |
2049 | } |
2050 | |
2051 | static int |
2052 | channel_handle_efd_read(struct ssh *ssh, Channel *c) |
2053 | { |
2054 | char buf[CHAN_RBUF(16*1024)]; |
2055 | int r; |
2056 | ssize_t len; |
2057 | |
2058 | if ((c->io_ready & SSH_CHAN_IO_EFD_R0x04) == 0) |
2059 | return 1; |
2060 | |
2061 | len = read(c->efd, buf, sizeof(buf)); |
2062 | debug2("channel %d: read %zd from efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2062 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read %zd from efd %d" , c->self, len, c->efd); |
2063 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2064 | return 1; |
2065 | if (len <= 0) { |
2066 | debug2("channel %d: closing read-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2066 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing read-efd %d" , c->self, c->efd); |
2067 | channel_close_fd(ssh, c, &c->efd); |
2068 | } else if (c->extended_usage == CHAN_EXTENDED_IGNORE0) |
2069 | debug3("channel %d: discard efd", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2069 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: discard efd" , c->self); |
2070 | else if ((r = sshbuf_put(c->extended, buf, len)) != 0) |
2071 | fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2071 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self); |
2072 | return 1; |
2073 | } |
2074 | |
2075 | static int |
2076 | channel_handle_efd(struct ssh *ssh, Channel *c) |
2077 | { |
2078 | if (c->efd == -1) |
2079 | return 1; |
2080 | |
2081 | /** XXX handle drain efd, too */ |
2082 | |
2083 | if (c->extended_usage == CHAN_EXTENDED_WRITE2) |
2084 | return channel_handle_efd_write(ssh, c); |
2085 | else if (c->extended_usage == CHAN_EXTENDED_READ1 || |
2086 | c->extended_usage == CHAN_EXTENDED_IGNORE0) |
2087 | return channel_handle_efd_read(ssh, c); |
2088 | |
2089 | return 1; |
2090 | } |
2091 | |
2092 | static int |
2093 | channel_check_window(struct ssh *ssh, Channel *c) |
2094 | { |
2095 | int r; |
2096 | |
2097 | if (c->type == SSH_CHANNEL_OPEN4 && |
2098 | !(c->flags & (CHAN_CLOSE_SENT0x01|CHAN_CLOSE_RCVD0x02)) && |
2099 | ((c->local_window_max - c->local_window > |
2100 | c->local_maxpacket*3) || |
2101 | c->local_window < c->local_window_max/2) && |
2102 | c->local_consumed > 0) { |
2103 | if (!c->have_remote_id) |
2104 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2104 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2105 | if ((r = sshpkt_start(ssh, |
2106 | SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 || |
2107 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2108 | (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || |
2109 | (r = sshpkt_send(ssh)) != 0) { |
2110 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2110 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
2111 | } |
2112 | debug2("channel %d: window %d sent adjust %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2113 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed) |
2113 | c->local_window, c->local_consumed)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2113 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed); |
2114 | c->local_window += c->local_consumed; |
2115 | c->local_consumed = 0; |
2116 | } |
2117 | return 1; |
2118 | } |
2119 | |
2120 | static void |
2121 | channel_post_open(struct ssh *ssh, Channel *c) |
2122 | { |
2123 | channel_handle_rfd(ssh, c); |
2124 | channel_handle_wfd(ssh, c); |
2125 | channel_handle_efd(ssh, c); |
2126 | channel_check_window(ssh, c); |
2127 | } |
2128 | |
2129 | static u_int |
2130 | read_mux(struct ssh *ssh, Channel *c, u_int need) |
2131 | { |
2132 | char buf[CHAN_RBUF(16*1024)]; |
2133 | ssize_t len; |
2134 | u_int rlen; |
2135 | int r; |
2136 | |
2137 | if (sshbuf_len(c->input) < need) { |
2138 | rlen = need - sshbuf_len(c->input); |
2139 | len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)(((rlen) < ((16*1024))) ? (rlen) : ((16*1024)))); |
2140 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2141 | return sshbuf_len(c->input); |
2142 | if (len <= 0) { |
2143 | debug2("channel %d: ctl read<=0 rfd %d len %zd",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2144 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len) |
2144 | c->self, c->rfd, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2144 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len); |
2145 | chan_read_failed(ssh, c); |
2146 | return 0; |
2147 | } else if ((r = sshbuf_put(c->input, buf, len)) != 0) |
2148 | fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2148 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self); |
2149 | } |
2150 | return sshbuf_len(c->input); |
2151 | } |
2152 | |
2153 | static void |
2154 | channel_post_mux_client_read(struct ssh *ssh, Channel *c) |
2155 | { |
2156 | u_int need; |
2157 | |
2158 | if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0) |
2159 | return; |
2160 | if (c->istate != CHAN_INPUT_OPEN0 && c->istate != CHAN_INPUT_WAIT_DRAIN1) |
2161 | return; |
2162 | if (c->mux_pause) |
2163 | return; |
2164 | |
2165 | /* |
2166 | * Don't not read past the precise end of packets to |
2167 | * avoid disrupting fd passing. |
2168 | */ |
2169 | if (read_mux(ssh, c, 4) < 4) /* read header */ |
2170 | return; |
2171 | /* XXX sshbuf_peek_u32 */ |
2172 | need = PEEK_U32(sshbuf_ptr(c->input))(((u_int32_t)(((const u_char *)(sshbuf_ptr(c->input)))[0]) << 24) | ((u_int32_t)(((const u_char *)(sshbuf_ptr(c-> input)))[1]) << 16) | ((u_int32_t)(((const u_char *)(sshbuf_ptr (c->input)))[2]) << 8) | (u_int32_t)(((const u_char * )(sshbuf_ptr(c->input)))[3])); |
2173 | #define CHANNEL_MUX_MAX_PACKET(256 * 1024) (256 * 1024) |
2174 | if (need > CHANNEL_MUX_MAX_PACKET(256 * 1024)) { |
2175 | debug2("channel %d: packet too big %u > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2176 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: packet too big %u > %u" , c->self, (256 * 1024), need) |
2176 | c->self, CHANNEL_MUX_MAX_PACKET, need)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2176 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: packet too big %u > %u" , c->self, (256 * 1024), need); |
2177 | chan_rcvd_oclose(ssh, c); |
2178 | return; |
2179 | } |
2180 | if (read_mux(ssh, c, need + 4) < need + 4) /* read body */ |
2181 | return; |
2182 | if (c->mux_rcb(ssh, c) != 0) { |
2183 | debug("channel %d: mux_rcb failed", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2183 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: mux_rcb failed" , c->self); |
2184 | chan_mark_dead(ssh, c); |
2185 | return; |
2186 | } |
2187 | } |
2188 | |
2189 | static void |
2190 | channel_post_mux_client_write(struct ssh *ssh, Channel *c) |
2191 | { |
2192 | ssize_t len; |
2193 | int r; |
2194 | |
2195 | if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0) |
2196 | return; |
2197 | if (sshbuf_len(c->output) == 0) |
2198 | return; |
2199 | |
2200 | len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output)); |
2201 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2202 | return; |
2203 | if (len <= 0) { |
2204 | chan_mark_dead(ssh, c); |
2205 | return; |
2206 | } |
2207 | if ((r = sshbuf_consume(c->output, len)) != 0) |
2208 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2208 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2209 | } |
2210 | |
2211 | static void |
2212 | channel_post_mux_client(struct ssh *ssh, Channel *c) |
2213 | { |
2214 | channel_post_mux_client_read(ssh, c); |
2215 | channel_post_mux_client_write(ssh, c); |
2216 | } |
2217 | |
2218 | static void |
2219 | channel_post_mux_listener(struct ssh *ssh, Channel *c) |
2220 | { |
2221 | Channel *nc; |
2222 | struct sockaddr_storage addr; |
2223 | socklen_t addrlen; |
2224 | int newsock; |
2225 | uid_t euid; |
2226 | gid_t egid; |
2227 | |
2228 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
2229 | return; |
2230 | |
2231 | debug("multiplexing control connection")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2231 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "multiplexing control connection" ); |
2232 | |
2233 | /* |
2234 | * Accept connection on control socket |
2235 | */ |
2236 | memset(&addr, 0, sizeof(addr)); |
2237 | addrlen = sizeof(addr); |
2238 | if ((newsock = accept(c->sock, (struct sockaddr*)&addr, |
2239 | &addrlen)) == -1) { |
2240 | error_f("accept: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2240 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %s", strerror( (*__errno()))); |
2241 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
2242 | c->notbefore = monotime() + 1; |
2243 | return; |
2244 | } |
2245 | |
2246 | if (getpeereid(newsock, &euid, &egid) == -1) { |
2247 | error_f("getpeereid failed: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2247 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getpeereid failed: %s" , strerror((*__errno()))); |
2248 | close(newsock); |
2249 | return; |
2250 | } |
2251 | if ((euid != 0) && (getuid() != euid)) { |
2252 | error("multiplex uid mismatch: peer euid %u != uid %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2253 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid()) |
2253 | (u_int)euid, (u_int)getuid())sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2253 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid()); |
2254 | close(newsock); |
2255 | return; |
2256 | } |
2257 | nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT16, |
2258 | newsock, newsock, -1, c->local_window_max, |
2259 | c->local_maxpacket, 0, "mux-control", 1); |
2260 | nc->mux_rcb = c->mux_rcb; |
2261 | debug3_f("new mux channel %d fd %d", nc->self, nc->sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2261 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "new mux channel %d fd %d" , nc->self, nc->sock); |
2262 | /* establish state */ |
2263 | nc->mux_rcb(ssh, nc); |
2264 | /* mux state transitions must not elicit protocol messages */ |
2265 | nc->flags |= CHAN_LOCAL0x10; |
2266 | } |
2267 | |
2268 | static void |
2269 | channel_handler_init(struct ssh_channels *sc) |
2270 | { |
2271 | chan_fn **pre, **post; |
2272 | |
2273 | if ((pre = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(*pre))) == NULL((void *)0) || |
2274 | (post = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(*post))) == NULL((void *)0)) |
2275 | fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2275 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed"); |
2276 | |
2277 | pre[SSH_CHANNEL_OPEN4] = &channel_pre_open; |
2278 | pre[SSH_CHANNEL_X11_OPEN7] = &channel_pre_x11_open; |
2279 | pre[SSH_CHANNEL_PORT_LISTENER2] = &channel_pre_listener; |
2280 | pre[SSH_CHANNEL_RPORT_LISTENER11] = &channel_pre_listener; |
2281 | pre[SSH_CHANNEL_UNIX_LISTENER18] = &channel_pre_listener; |
2282 | pre[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_pre_listener; |
2283 | pre[SSH_CHANNEL_X11_LISTENER1] = &channel_pre_listener; |
2284 | pre[SSH_CHANNEL_AUTH_SOCKET6] = &channel_pre_listener; |
2285 | pre[SSH_CHANNEL_CONNECTING12] = &channel_pre_connecting; |
2286 | pre[SSH_CHANNEL_DYNAMIC13] = &channel_pre_dynamic; |
2287 | pre[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_pre_connecting; |
2288 | pre[SSH_CHANNEL_MUX_LISTENER15] = &channel_pre_listener; |
2289 | pre[SSH_CHANNEL_MUX_CLIENT16] = &channel_pre_mux_client; |
2290 | |
2291 | post[SSH_CHANNEL_OPEN4] = &channel_post_open; |
2292 | post[SSH_CHANNEL_PORT_LISTENER2] = &channel_post_port_listener; |
2293 | post[SSH_CHANNEL_RPORT_LISTENER11] = &channel_post_port_listener; |
2294 | post[SSH_CHANNEL_UNIX_LISTENER18] = &channel_post_port_listener; |
2295 | post[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_post_port_listener; |
2296 | post[SSH_CHANNEL_X11_LISTENER1] = &channel_post_x11_listener; |
2297 | post[SSH_CHANNEL_AUTH_SOCKET6] = &channel_post_auth_listener; |
2298 | post[SSH_CHANNEL_CONNECTING12] = &channel_post_connecting; |
2299 | post[SSH_CHANNEL_DYNAMIC13] = &channel_post_open; |
2300 | post[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_post_connecting; |
2301 | post[SSH_CHANNEL_MUX_LISTENER15] = &channel_post_mux_listener; |
2302 | post[SSH_CHANNEL_MUX_CLIENT16] = &channel_post_mux_client; |
2303 | |
2304 | sc->channel_pre = pre; |
2305 | sc->channel_post = post; |
2306 | } |
2307 | |
2308 | /* gc dead channels */ |
2309 | static void |
2310 | channel_garbage_collect(struct ssh *ssh, Channel *c) |
2311 | { |
2312 | if (c == NULL((void *)0)) |
2313 | return; |
2314 | if (c->detach_user != NULL((void *)0)) { |
2315 | if (!chan_is_dead(ssh, c, c->detach_close)) |
2316 | return; |
2317 | |
2318 | debug2("channel %d: gc: notify user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2318 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: notify user" , c->self); |
2319 | c->detach_user(ssh, c->self, NULL((void *)0)); |
2320 | /* if we still have a callback */ |
2321 | if (c->detach_user != NULL((void *)0)) |
2322 | return; |
2323 | debug2("channel %d: gc: user detached", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2323 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: user detached" , c->self); |
2324 | } |
2325 | if (!chan_is_dead(ssh, c, 1)) |
2326 | return; |
2327 | debug2("channel %d: garbage collecting", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2327 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: garbage collecting" , c->self); |
2328 | channel_free(ssh, c); |
2329 | } |
2330 | |
2331 | enum channel_table { CHAN_PRE, CHAN_POST }; |
2332 | |
2333 | static void |
2334 | channel_handler(struct ssh *ssh, int table, time_t *unpause_secs) |
2335 | { |
2336 | struct ssh_channels *sc = ssh->chanctxt; |
2337 | chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post; |
2338 | u_int i, oalloc; |
2339 | Channel *c; |
2340 | time_t now; |
2341 | |
2342 | now = monotime(); |
2343 | if (unpause_secs != NULL((void *)0)) |
2344 | *unpause_secs = 0; |
2345 | for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { |
2346 | c = sc->channels[i]; |
2347 | if (c == NULL((void *)0)) |
2348 | continue; |
2349 | if (c->delayed) { |
2350 | if (table == CHAN_PRE) |
2351 | c->delayed = 0; |
2352 | else |
2353 | continue; |
2354 | } |
2355 | if (ftab[c->type] != NULL((void *)0)) { |
2356 | /* |
2357 | * Run handlers that are not paused. |
2358 | */ |
2359 | if (c->notbefore <= now) |
2360 | (*ftab[c->type])(ssh, c); |
2361 | else if (unpause_secs != NULL((void *)0)) { |
2362 | /* |
2363 | * Collect the time that the earliest |
2364 | * channel comes off pause. |
2365 | */ |
2366 | debug3_f("chan %d: skip for %d more "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2368 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "chan %d: skip for %d more " "seconds", c->self, (int)(c->notbefore - now)) |
2367 | "seconds", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2368 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "chan %d: skip for %d more " "seconds", c->self, (int)(c->notbefore - now)) |
2368 | (int)(c->notbefore - now))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2368 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "chan %d: skip for %d more " "seconds", c->self, (int)(c->notbefore - now)); |
2369 | if (*unpause_secs == 0 || |
2370 | (c->notbefore - now) < *unpause_secs) |
2371 | *unpause_secs = c->notbefore - now; |
2372 | } |
2373 | } |
2374 | channel_garbage_collect(ssh, c); |
2375 | } |
2376 | if (unpause_secs != NULL((void *)0) && *unpause_secs != 0) |
2377 | debug3_f("first channel unpauses in %d seconds",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2378 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "first channel unpauses in %d seconds" , (int)*unpause_secs) |
2378 | (int)*unpause_secs)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2378 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "first channel unpauses in %d seconds" , (int)*unpause_secs); |
2379 | } |
2380 | |
2381 | /* |
2382 | * Create sockets before preparing IO. |
2383 | * This is necessary for things that need to happen after reading |
2384 | * the network-input but need to be completed before IO event setup, e.g. |
2385 | * because they may create new channels. |
2386 | */ |
2387 | static void |
2388 | channel_before_prepare_io(struct ssh *ssh) |
2389 | { |
2390 | struct ssh_channels *sc = ssh->chanctxt; |
2391 | Channel *c; |
2392 | u_int i, oalloc; |
2393 | |
2394 | for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { |
2395 | c = sc->channels[i]; |
2396 | if (c == NULL((void *)0)) |
2397 | continue; |
2398 | if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN21) |
2399 | channel_before_prepare_io_rdynamic(ssh, c); |
2400 | } |
2401 | } |
2402 | |
2403 | static void |
2404 | dump_channel_poll(const char *func, const char *what, Channel *c, |
2405 | u_int pollfd_offset, struct pollfd *pfd) |
2406 | { |
2407 | #ifdef DEBUG_CHANNEL_POLL |
2408 | debug3_f("channel %d: rfd r%d w%d e%d s%d "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2411 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: rfd r%d w%d e%d s%d " "pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x" , c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset , pfd->fd, c->io_want, pfd->events, c->io_ready, pfd ->revents) |
2409 | "pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2411 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: rfd r%d w%d e%d s%d " "pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x" , c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset , pfd->fd, c->io_want, pfd->events, c->io_ready, pfd ->revents) |
2410 | c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset, pfd->fd,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2411 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: rfd r%d w%d e%d s%d " "pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x" , c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset , pfd->fd, c->io_want, pfd->events, c->io_ready, pfd ->revents) |
2411 | c->io_want, pfd->events, c->io_ready, pfd->revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2411 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: rfd r%d w%d e%d s%d " "pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x" , c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset , pfd->fd, c->io_want, pfd->events, c->io_ready, pfd ->revents); |
2412 | #endif |
2413 | } |
2414 | |
2415 | /* Prepare pollfd entries for a single channel */ |
2416 | static void |
2417 | channel_prepare_pollfd(Channel *c, u_int *next_pollfd, |
2418 | struct pollfd *pfd, u_int npfd) |
2419 | { |
2420 | u_int p = *next_pollfd; |
2421 | |
2422 | if (c == NULL((void *)0)) |
2423 | return; |
2424 | if (p + 4 > npfd) { |
2425 | /* Shouldn't happen */ |
2426 | fatal_f("channel %d: bad pfd offset %u (max %u)",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2427 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd) |
2427 | c->self, p, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2427 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd); |
2428 | } |
2429 | c->pollfd_offset = -1; |
2430 | /* |
2431 | * prepare c->rfd |
2432 | * |
2433 | * This is a special case, since c->rfd might be the same as |
2434 | * c->wfd, c->efd and/or c->sock. Handle those here if they want |
2435 | * IO too. |
2436 | */ |
2437 | if (c->rfd != -1) { |
2438 | if (c->pollfd_offset == -1) |
2439 | c->pollfd_offset = p; |
2440 | pfd[p].fd = c->rfd; |
2441 | pfd[p].events = 0; |
2442 | if ((c->io_want & SSH_CHAN_IO_RFD0x01) != 0) |
2443 | pfd[p].events |= POLLIN0x0001; |
2444 | /* rfd == wfd */ |
2445 | if (c->wfd == c->rfd && |
2446 | (c->io_want & SSH_CHAN_IO_WFD0x02) != 0) |
2447 | pfd[p].events |= POLLOUT0x0004; |
2448 | /* rfd == efd */ |
2449 | if (c->efd == c->rfd && |
2450 | (c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0) |
2451 | pfd[p].events |= POLLIN0x0001; |
2452 | if (c->efd == c->rfd && |
2453 | (c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0) |
2454 | pfd[p].events |= POLLOUT0x0004; |
2455 | /* rfd == sock */ |
2456 | if (c->sock == c->rfd && |
2457 | (c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0) |
2458 | pfd[p].events |= POLLIN0x0001; |
2459 | if (c->sock == c->rfd && |
2460 | (c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0) |
2461 | pfd[p].events |= POLLOUT0x0004; |
2462 | dump_channel_poll(__func__, "rfd", c, p, &pfd[p]); |
2463 | p++; |
2464 | } |
2465 | /* prepare c->wfd (if not already handled above) */ |
2466 | if (c->wfd != -1 && c->rfd != c->wfd) { |
2467 | if (c->pollfd_offset == -1) |
2468 | c->pollfd_offset = p; |
2469 | pfd[p].fd = c->wfd; |
2470 | pfd[p].events = 0; |
2471 | if ((c->io_want & SSH_CHAN_IO_WFD0x02) != 0) |
2472 | pfd[p].events = POLLOUT0x0004; |
2473 | dump_channel_poll(__func__, "wfd", c, p, &pfd[p]); |
2474 | p++; |
2475 | } |
2476 | /* prepare c->efd (if not already handled above) */ |
2477 | if (c->efd != -1 && c->rfd != c->efd) { |
2478 | if (c->pollfd_offset == -1) |
2479 | c->pollfd_offset = p; |
2480 | pfd[p].fd = c->efd; |
2481 | pfd[p].events = 0; |
2482 | if ((c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0) |
2483 | pfd[p].events |= POLLIN0x0001; |
2484 | if ((c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0) |
2485 | pfd[p].events |= POLLOUT0x0004; |
2486 | dump_channel_poll(__func__, "efd", c, p, &pfd[p]); |
2487 | p++; |
2488 | } |
2489 | /* prepare c->sock (if not already handled above) */ |
2490 | if (c->sock != -1 && c->rfd != c->sock) { |
2491 | if (c->pollfd_offset == -1) |
2492 | c->pollfd_offset = p; |
2493 | pfd[p].fd = c->sock; |
2494 | pfd[p].events = 0; |
2495 | if ((c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0) |
2496 | pfd[p].events |= POLLIN0x0001; |
2497 | if ((c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0) |
2498 | pfd[p].events |= POLLOUT0x0004; |
2499 | dump_channel_poll(__func__, "sock", c, p, &pfd[p]); |
2500 | p++; |
2501 | } |
2502 | *next_pollfd = p; |
2503 | } |
2504 | |
2505 | /* * Allocate/prepare poll structure */ |
2506 | void |
2507 | channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp, |
2508 | u_int *npfd_activep, u_int npfd_reserved, time_t *minwait_secs) |
2509 | { |
2510 | struct ssh_channels *sc = ssh->chanctxt; |
2511 | u_int i, oalloc, p, npfd = npfd_reserved; |
2512 | |
2513 | channel_before_prepare_io(ssh); /* might create a new channel */ |
2514 | |
2515 | /* Allocate 4x pollfd for each channel (rfd, wfd, efd, sock) */ |
2516 | if (sc->channels_alloc >= (INT_MAX2147483647 / 4) - npfd_reserved) |
2517 | fatal_f("too many channels")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2517 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "too many channels"); /* shouldn't happen */ |
2518 | if (!ssh_packet_is_rekeying(ssh)) |
2519 | npfd += sc->channels_alloc * 4; |
2520 | if (npfd > *npfd_allocp) { |
2521 | *pfdp = xrecallocarray(*pfdp, *npfd_allocp, |
2522 | npfd, sizeof(**pfdp)); |
2523 | *npfd_allocp = npfd; |
2524 | } |
2525 | *npfd_activep = npfd_reserved; |
2526 | if (ssh_packet_is_rekeying(ssh)) |
2527 | return; |
2528 | |
2529 | oalloc = sc->channels_alloc; |
2530 | |
2531 | channel_handler(ssh, CHAN_PRE, minwait_secs); |
2532 | |
2533 | if (oalloc != sc->channels_alloc) { |
2534 | /* shouldn't happen */ |
2535 | fatal_f("channels_alloc changed during CHAN_PRE "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2536 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc) |
2536 | "(was %u, now %u)", oalloc, sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2536 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc); |
2537 | } |
2538 | |
2539 | /* Prepare pollfd */ |
2540 | p = npfd_reserved; |
2541 | for (i = 0; i < sc->channels_alloc; i++) |
2542 | channel_prepare_pollfd(sc->channels[i], &p, *pfdp, npfd); |
2543 | *npfd_activep = p; |
2544 | } |
2545 | |
2546 | static void |
2547 | fd_ready(Channel *c, u_int p, struct pollfd *pfds, int fd, |
2548 | const char *what, u_int revents_mask, u_int ready) |
2549 | { |
2550 | struct pollfd *pfd = &pfds[p]; |
2551 | |
2552 | if (fd == -1) |
2553 | return; |
2554 | dump_channel_poll(__func__, what, c, p, pfd); |
2555 | if (pfd->fd != fd) { |
2556 | fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2558 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock) |
2557 | "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd,sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2558 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock) |
2558 | c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2558 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock); |
2559 | } |
2560 | if ((pfd->revents & POLLNVAL0x0020) != 0) { |
2561 | fatal("channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2562 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock) |
2562 | c->self, what, p, pfd->fd, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2562 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock); |
2563 | } |
2564 | if ((pfd->revents & (revents_mask|POLLHUP0x0010|POLLERR0x0008)) != 0) |
2565 | c->io_ready |= ready & c->io_want; |
2566 | } |
2567 | |
2568 | /* |
2569 | * After poll, perform any appropriate operations for channels which have |
2570 | * events pending. |
2571 | */ |
2572 | void |
2573 | channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd) |
2574 | { |
2575 | struct ssh_channels *sc = ssh->chanctxt; |
2576 | u_int i, p; |
2577 | Channel *c; |
2578 | |
2579 | #ifdef DEBUG_CHANNEL_POLL |
2580 | for (p = 0; p < npfd; p++) { |
2581 | if (pfd[p].revents == 0) |
2582 | continue; |
2583 | debug_f("pfd[%u].fd %d rev 0x%04x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2584 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents) |
2584 | p, pfd[p].fd, pfd[p].revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2584 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents); |
2585 | } |
2586 | #endif |
2587 | |
2588 | /* Convert pollfd into c->io_ready */ |
2589 | for (i = 0; i < sc->channels_alloc; i++) { |
2590 | c = sc->channels[i]; |
2591 | if (c == NULL((void *)0) || c->pollfd_offset < 0) |
2592 | continue; |
2593 | if ((u_int)c->pollfd_offset >= npfd) { |
2594 | /* shouldn't happen */ |
2595 | fatal_f("channel %d: (before) bad pfd %u (max %u)",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2596 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: (before) bad pfd %u (max %u)" , c->self, c->pollfd_offset, npfd) |
2596 | c->self, c->pollfd_offset, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2596 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: (before) bad pfd %u (max %u)" , c->self, c->pollfd_offset, npfd); |
2597 | } |
2598 | /* if rfd is shared with efd/sock then wfd should be too */ |
2599 | if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd && |
2600 | (c->rfd == c->efd || c->rfd == c->sock)) { |
2601 | /* Shouldn't happen */ |
2602 | fatal_f("channel %d: unexpected fds r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2603 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock) |
2603 | c->self, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2603 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock); |
2604 | } |
2605 | c->io_ready = 0; |
2606 | p = c->pollfd_offset; |
2607 | /* rfd, potentially shared with wfd, efd and sock */ |
2608 | if (c->rfd != -1) { |
2609 | fd_ready(c, p, pfd, c->rfd, "rfd", POLLIN0x0001, |
2610 | SSH_CHAN_IO_RFD0x01); |
2611 | if (c->rfd == c->wfd) { |
2612 | fd_ready(c, p, pfd, c->wfd, "wfd/r", POLLOUT0x0004, |
2613 | SSH_CHAN_IO_WFD0x02); |
2614 | } |
2615 | if (c->rfd == c->efd) { |
2616 | fd_ready(c, p, pfd, c->efd, "efdr/r", POLLIN0x0001, |
2617 | SSH_CHAN_IO_EFD_R0x04); |
2618 | fd_ready(c, p, pfd, c->efd, "efdw/r", POLLOUT0x0004, |
2619 | SSH_CHAN_IO_EFD_W0x08); |
2620 | } |
2621 | if (c->rfd == c->sock) { |
2622 | fd_ready(c, p, pfd, c->sock, "sockr/r", POLLIN0x0001, |
2623 | SSH_CHAN_IO_SOCK_R0x10); |
2624 | fd_ready(c, p, pfd, c->sock, "sockw/r", POLLOUT0x0004, |
2625 | SSH_CHAN_IO_SOCK_W0x20); |
2626 | } |
2627 | p++; |
2628 | } |
2629 | /* wfd */ |
2630 | if (c->wfd != -1 && c->wfd != c->rfd) { |
2631 | fd_ready(c, p, pfd, c->wfd, "wfd", POLLOUT0x0004, |
2632 | SSH_CHAN_IO_WFD0x02); |
2633 | p++; |
2634 | } |
2635 | /* efd */ |
2636 | if (c->efd != -1 && c->efd != c->rfd) { |
2637 | fd_ready(c, p, pfd, c->efd, "efdr", POLLIN0x0001, |
2638 | SSH_CHAN_IO_EFD_R0x04); |
2639 | fd_ready(c, p, pfd, c->efd, "efdw", POLLOUT0x0004, |
2640 | SSH_CHAN_IO_EFD_W0x08); |
2641 | p++; |
2642 | } |
2643 | /* sock */ |
2644 | if (c->sock != -1 && c->sock != c->rfd) { |
2645 | fd_ready(c, p, pfd, c->sock, "sockr", POLLIN0x0001, |
2646 | SSH_CHAN_IO_SOCK_R0x10); |
2647 | fd_ready(c, p, pfd, c->sock, "sockw", POLLOUT0x0004, |
2648 | SSH_CHAN_IO_SOCK_W0x20); |
2649 | p++; |
2650 | } |
2651 | |
2652 | if (p > npfd) { |
2653 | /* shouldn't happen */ |
2654 | fatal_f("channel %d: (after) bad pfd %u (max %u)",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2655 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: (after) bad pfd %u (max %u)" , c->self, c->pollfd_offset, npfd) |
2655 | c->self, c->pollfd_offset, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2655 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: (after) bad pfd %u (max %u)" , c->self, c->pollfd_offset, npfd); |
2656 | } |
2657 | } |
2658 | channel_handler(ssh, CHAN_POST, NULL((void *)0)); |
2659 | } |
2660 | |
2661 | /* |
2662 | * Enqueue data for channels with open or draining c->input. |
2663 | */ |
2664 | static void |
2665 | channel_output_poll_input_open(struct ssh *ssh, Channel *c) |
2666 | { |
2667 | size_t len, plen; |
2668 | const u_char *pkt; |
2669 | int r; |
2670 | |
2671 | if ((len = sshbuf_len(c->input)) == 0) { |
2672 | if (c->istate == CHAN_INPUT_WAIT_DRAIN1) { |
2673 | /* |
2674 | * input-buffer is empty and read-socket shutdown: |
2675 | * tell peer, that we will not send more data: |
2676 | * send IEOF. |
2677 | * hack for extended data: delay EOF if EFD still |
2678 | * in use. |
2679 | */ |
2680 | if (CHANNEL_EFD_INPUT_ACTIVE(c)(c->extended_usage == 1 && (c->efd != -1 || sshbuf_len (c->extended) > 0))) |
2681 | debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2683 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
2682 | "ibuf_empty delayed efd %d/(%zu)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2683 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
2683 | c->self, c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2683 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)); |
2684 | else |
2685 | chan_ibuf_empty(ssh, c); |
2686 | } |
2687 | return; |
2688 | } |
2689 | |
2690 | if (!c->have_remote_id) |
2691 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2691 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2692 | |
2693 | if (c->datagram) { |
2694 | /* Check datagram will fit; drop if not */ |
2695 | if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0) |
2696 | fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2696 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self); |
2697 | /* |
2698 | * XXX this does tail-drop on the datagram queue which is |
2699 | * usually suboptimal compared to head-drop. Better to have |
2700 | * backpressure at read time? (i.e. read + discard) |
2701 | */ |
2702 | if (plen > c->remote_window || plen > c->remote_maxpacket) { |
2703 | debug("channel %d: datagram too big", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2703 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: datagram too big" , c->self); |
2704 | return; |
2705 | } |
2706 | /* Enqueue it */ |
2707 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
2708 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2709 | (r = sshpkt_put_string(ssh, pkt, plen)) != 0 || |
2710 | (r = sshpkt_send(ssh)) != 0) |
2711 | fatal_fr(r, "channel %i: send datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2711 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send datagram" , c->self); |
2712 | c->remote_window -= plen; |
2713 | return; |
2714 | } |
2715 | |
2716 | /* Enqueue packet for buffered data. */ |
2717 | if (len > c->remote_window) |
2718 | len = c->remote_window; |
2719 | if (len > c->remote_maxpacket) |
2720 | len = c->remote_maxpacket; |
2721 | if (len == 0) |
2722 | return; |
2723 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
2724 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2725 | (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 || |
2726 | (r = sshpkt_send(ssh)) != 0) |
2727 | fatal_fr(r, "channel %i: send data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2727 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send data", c->self); |
2728 | if ((r = sshbuf_consume(c->input, len)) != 0) |
2729 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2729 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2730 | c->remote_window -= len; |
2731 | } |
2732 | |
2733 | /* |
2734 | * Enqueue data for channels with open c->extended in read mode. |
2735 | */ |
2736 | static void |
2737 | channel_output_poll_extended_read(struct ssh *ssh, Channel *c) |
2738 | { |
2739 | size_t len; |
2740 | int r; |
2741 | |
2742 | if ((len = sshbuf_len(c->extended)) == 0) |
2743 | return; |
2744 | |
2745 | debug2("channel %d: rwin %u elen %zu euse %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2746 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage) |
2746 | c->remote_window, sshbuf_len(c->extended), c->extended_usage)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2746 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage); |
2747 | if (len > c->remote_window) |
2748 | len = c->remote_window; |
2749 | if (len > c->remote_maxpacket) |
2750 | len = c->remote_maxpacket; |
2751 | if (len == 0) |
2752 | return; |
2753 | if (!c->have_remote_id) |
2754 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2754 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2755 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA95)) != 0 || |
2756 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2757 | (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR1)) != 0 || |
2758 | (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 || |
2759 | (r = sshpkt_send(ssh)) != 0) |
2760 | fatal_fr(r, "channel %i: data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2760 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: data", c-> self); |
2761 | if ((r = sshbuf_consume(c->extended, len)) != 0) |
2762 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2762 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2763 | c->remote_window -= len; |
2764 | debug2("channel %d: sent ext data %zu", c->self, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2764 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: sent ext data %zu" , c->self, len); |
2765 | } |
2766 | |
2767 | /* If there is data to send to the connection, enqueue some of it now. */ |
2768 | void |
2769 | channel_output_poll(struct ssh *ssh) |
2770 | { |
2771 | struct ssh_channels *sc = ssh->chanctxt; |
2772 | Channel *c; |
2773 | u_int i; |
2774 | |
2775 | for (i = 0; i < sc->channels_alloc; i++) { |
2776 | c = sc->channels[i]; |
2777 | if (c == NULL((void *)0)) |
2778 | continue; |
2779 | |
2780 | /* |
2781 | * We are only interested in channels that can have buffered |
2782 | * incoming data. |
2783 | */ |
2784 | if (c->type != SSH_CHANNEL_OPEN4) |
2785 | continue; |
2786 | if ((c->flags & (CHAN_CLOSE_SENT0x01|CHAN_CLOSE_RCVD0x02))) { |
2787 | /* XXX is this true? */ |
2788 | debug3("channel %d: will not send data after close",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2789 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self) |
2789 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2789 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self); |
2790 | continue; |
2791 | } |
2792 | |
2793 | /* Get the amount of buffered data for this channel. */ |
2794 | if (c->istate == CHAN_INPUT_OPEN0 || |
2795 | c->istate == CHAN_INPUT_WAIT_DRAIN1) |
2796 | channel_output_poll_input_open(ssh, c); |
2797 | /* Send extended data, i.e. stderr */ |
2798 | if (!(c->flags & CHAN_EOF_SENT0x04) && |
2799 | c->extended_usage == CHAN_EXTENDED_READ1) |
2800 | channel_output_poll_extended_read(ssh, c); |
2801 | } |
2802 | } |
2803 | |
2804 | /* -- mux proxy support */ |
2805 | |
2806 | /* |
2807 | * When multiplexing channel messages for mux clients we have to deal |
2808 | * with downstream messages from the mux client and upstream messages |
2809 | * from the ssh server: |
2810 | * 1) Handling downstream messages is straightforward and happens |
2811 | * in channel_proxy_downstream(): |
2812 | * - We forward all messages (mostly) unmodified to the server. |
2813 | * - However, in order to route messages from upstream to the correct |
2814 | * downstream client, we have to replace the channel IDs used by the |
2815 | * mux clients with a unique channel ID because the mux clients might |
2816 | * use conflicting channel IDs. |
2817 | * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and |
2818 | * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local |
2819 | * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID |
2820 | * with the newly allocated channel ID. |
2821 | * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY |
2822 | * channels and processed by channel_proxy_upstream(). The local channel ID |
2823 | * is then translated back to the original mux client ID. |
2824 | * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE |
2825 | * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels. |
2826 | * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the |
2827 | * downstream mux client are removed. |
2828 | * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server |
2829 | * requires more work, because they are not addressed to a specific |
2830 | * channel. E.g. client_request_forwarded_tcpip() needs to figure |
2831 | * out whether the request is addressed to the local client or a |
2832 | * specific downstream client based on the listen-address/port. |
2833 | * 6) Agent and X11-Forwarding have a similar problem and are currently |
2834 | * not supported as the matching session/channel cannot be identified |
2835 | * easily. |
2836 | */ |
2837 | |
2838 | /* |
2839 | * receive packets from downstream mux clients: |
2840 | * channel callback fired on read from mux client, creates |
2841 | * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs |
2842 | * on channel creation. |
2843 | */ |
2844 | int |
2845 | channel_proxy_downstream(struct ssh *ssh, Channel *downstream) |
2846 | { |
2847 | Channel *c = NULL((void *)0); |
2848 | struct sshbuf *original = NULL((void *)0), *modified = NULL((void *)0); |
2849 | const u_char *cp; |
2850 | char *ctype = NULL((void *)0), *listen_host = NULL((void *)0); |
2851 | u_char type; |
2852 | size_t have; |
2853 | int ret = -1, r; |
2854 | u_int id, remote_id, listen_port; |
2855 | |
2856 | /* sshbuf_dump(downstream->input, stderr); */ |
2857 | if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have)) |
2858 | != 0) { |
2859 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2859 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
2860 | return -1; |
2861 | } |
2862 | if (have < 2) { |
2863 | error_f("short message")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2863 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "short message"); |
2864 | return -1; |
2865 | } |
2866 | type = cp[1]; |
2867 | /* skip padlen + type */ |
2868 | cp += 2; |
2869 | have -= 2; |
2870 | if (ssh_packet_log_type(type)) |
2871 | debug3_f("channel %u: down->up: type %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2872 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type) |
2872 | downstream->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2872 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type); |
2873 | |
2874 | switch (type) { |
2875 | case SSH2_MSG_CHANNEL_OPEN90: |
2876 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0) || |
2877 | (modified = sshbuf_new()) == NULL((void *)0)) { |
2878 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2878 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
2879 | goto out; |
2880 | } |
2881 | if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0 || |
2882 | (r = sshbuf_get_u32(original, &id)) != 0) { |
2883 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2883 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
2884 | goto out; |
2885 | } |
2886 | c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY20, |
2887 | -1, -1, -1, 0, 0, 0, ctype, 1); |
2888 | c->mux_ctx = downstream; /* point to mux client */ |
2889 | c->mux_downstream_id = id; /* original downstream id */ |
2890 | if ((r = sshbuf_put_cstring(modified, ctype)) != 0 || |
2891 | (r = sshbuf_put_u32(modified, c->self)) != 0 || |
2892 | (r = sshbuf_putb(modified, original)) != 0) { |
2893 | error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2893 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose"); |
2894 | channel_free(ssh, c); |
2895 | goto out; |
2896 | } |
2897 | break; |
2898 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
2899 | /* |
2900 | * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we |
2901 | * need to parse 'remote_id' instead of 'ctype'. |
2902 | */ |
2903 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0) || |
2904 | (modified = sshbuf_new()) == NULL((void *)0)) { |
2905 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2905 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
2906 | goto out; |
2907 | } |
2908 | if ((r = sshbuf_get_u32(original, &remote_id)) != 0 || |
2909 | (r = sshbuf_get_u32(original, &id)) != 0) { |
2910 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2910 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
2911 | goto out; |
2912 | } |
2913 | c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY20, |
2914 | -1, -1, -1, 0, 0, 0, "mux-down-connect", 1); |
2915 | c->mux_ctx = downstream; /* point to mux client */ |
2916 | c->mux_downstream_id = id; |
2917 | c->remote_id = remote_id; |
2918 | c->have_remote_id = 1; |
2919 | if ((r = sshbuf_put_u32(modified, remote_id)) != 0 || |
2920 | (r = sshbuf_put_u32(modified, c->self)) != 0 || |
2921 | (r = sshbuf_putb(modified, original)) != 0) { |
2922 | error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2922 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose"); |
2923 | channel_free(ssh, c); |
2924 | goto out; |
2925 | } |
2926 | break; |
2927 | case SSH2_MSG_GLOBAL_REQUEST80: |
2928 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0)) { |
2929 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
2930 | goto out; |
2931 | } |
2932 | if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0) { |
2933 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2933 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
2934 | goto out; |
2935 | } |
2936 | if (strcmp(ctype, "tcpip-forward") != 0) { |
2937 | error_f("unsupported request %s", ctype)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2937 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unsupported request %s" , ctype); |
2938 | goto out; |
2939 | } |
2940 | if ((r = sshbuf_get_u8(original, NULL((void *)0))) != 0 || |
2941 | (r = sshbuf_get_cstring(original, &listen_host, NULL((void *)0))) != 0 || |
2942 | (r = sshbuf_get_u32(original, &listen_port)) != 0) { |
2943 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2943 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
2944 | goto out; |
2945 | } |
2946 | if (listen_port > 65535) { |
2947 | error_f("tcpip-forward for %s: bad port %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2948 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port) |
2948 | listen_host, listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2948 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port); |
2949 | goto out; |
2950 | } |
2951 | /* Record that connection to this host/port is permitted. */ |
2952 | permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1), "<mux>", -1, |
2953 | listen_host, NULL((void *)0), (int)listen_port, downstream); |
2954 | listen_host = NULL((void *)0); |
2955 | break; |
2956 | case SSH2_MSG_CHANNEL_CLOSE97: |
2957 | if (have < 4) |
2958 | break; |
2959 | remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char *)(cp))[0]) << 24) | ((u_int32_t )(((const u_char *)(cp))[1]) << 16) | ((u_int32_t)(((const u_char *)(cp))[2]) << 8) | (u_int32_t)(((const u_char * )(cp))[3])); |
2960 | if ((c = channel_by_remote_id(ssh, remote_id)) != NULL((void *)0)) { |
2961 | if (c->flags & CHAN_CLOSE_RCVD0x02) |
2962 | channel_free(ssh, c); |
2963 | else |
2964 | c->flags |= CHAN_CLOSE_SENT0x01; |
2965 | } |
2966 | break; |
2967 | } |
2968 | if (modified) { |
2969 | if ((r = sshpkt_start(ssh, type)) != 0 || |
2970 | (r = sshpkt_putb(ssh, modified)) != 0 || |
2971 | (r = sshpkt_send(ssh)) != 0) { |
2972 | error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2972 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send"); |
2973 | goto out; |
2974 | } |
2975 | } else { |
2976 | if ((r = sshpkt_start(ssh, type)) != 0 || |
2977 | (r = sshpkt_put(ssh, cp, have)) != 0 || |
2978 | (r = sshpkt_send(ssh)) != 0) { |
2979 | error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2979 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send"); |
2980 | goto out; |
2981 | } |
2982 | } |
2983 | ret = 0; |
2984 | out: |
2985 | free(ctype); |
2986 | free(listen_host); |
2987 | sshbuf_free(original); |
2988 | sshbuf_free(modified); |
2989 | return ret; |
2990 | } |
2991 | |
2992 | /* |
2993 | * receive packets from upstream server and de-multiplex packets |
2994 | * to correct downstream: |
2995 | * implemented as a helper for channel input handlers, |
2996 | * replaces local (proxy) channel ID with downstream channel ID. |
2997 | */ |
2998 | int |
2999 | channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh) |
3000 | { |
3001 | struct sshbuf *b = NULL((void *)0); |
3002 | Channel *downstream; |
3003 | const u_char *cp = NULL((void *)0); |
3004 | size_t len; |
3005 | int r; |
3006 | |
3007 | /* |
3008 | * When receiving packets from the peer we need to check whether we |
3009 | * need to forward the packets to the mux client. In this case we |
3010 | * restore the original channel id and keep track of CLOSE messages, |
3011 | * so we can cleanup the channel. |
3012 | */ |
3013 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_MUX_PROXY20) |
3014 | return 0; |
3015 | if ((downstream = c->mux_ctx) == NULL((void *)0)) |
3016 | return 0; |
3017 | switch (type) { |
3018 | case SSH2_MSG_CHANNEL_CLOSE97: |
3019 | case SSH2_MSG_CHANNEL_DATA94: |
3020 | case SSH2_MSG_CHANNEL_EOF96: |
3021 | case SSH2_MSG_CHANNEL_EXTENDED_DATA95: |
3022 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
3023 | case SSH2_MSG_CHANNEL_OPEN_FAILURE92: |
3024 | case SSH2_MSG_CHANNEL_WINDOW_ADJUST93: |
3025 | case SSH2_MSG_CHANNEL_SUCCESS99: |
3026 | case SSH2_MSG_CHANNEL_FAILURE100: |
3027 | case SSH2_MSG_CHANNEL_REQUEST98: |
3028 | break; |
3029 | default: |
3030 | debug2_f("channel %u: unsupported type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3030 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %u: unsupported type %u" , c->self, type); |
3031 | return 0; |
3032 | } |
3033 | if ((b = sshbuf_new()) == NULL((void *)0)) { |
3034 | error_f("alloc reply")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3034 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc reply"); |
3035 | goto out; |
3036 | } |
3037 | /* get remaining payload (after id) */ |
3038 | cp = sshpkt_ptr(ssh, &len); |
3039 | if (cp == NULL((void *)0)) { |
3040 | error_f("no packet")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3040 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no packet"); |
3041 | goto out; |
3042 | } |
3043 | /* translate id and send to muxclient */ |
3044 | if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ |
3045 | (r = sshbuf_put_u8(b, type)) != 0 || |
3046 | (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 || |
3047 | (r = sshbuf_put(b, cp, len)) != 0 || |
3048 | (r = sshbuf_put_stringb(downstream->output, b)) != 0) { |
3049 | error_fr(r, "compose muxclient")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3049 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose muxclient"); |
3050 | goto out; |
3051 | } |
3052 | /* sshbuf_dump(b, stderr); */ |
3053 | if (ssh_packet_log_type(type)) |
3054 | debug3_f("channel %u: up->down: type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3054 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: up->down: type %u" , c->self, type); |
3055 | out: |
3056 | /* update state */ |
3057 | switch (type) { |
3058 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
3059 | /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */ |
3060 | if (cp && len > 4) { |
3061 | c->remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char *)(cp))[0]) << 24) | ((u_int32_t )(((const u_char *)(cp))[1]) << 16) | ((u_int32_t)(((const u_char *)(cp))[2]) << 8) | (u_int32_t)(((const u_char * )(cp))[3])); |
3062 | c->have_remote_id = 1; |
3063 | } |
3064 | break; |
3065 | case SSH2_MSG_CHANNEL_CLOSE97: |
3066 | if (c->flags & CHAN_CLOSE_SENT0x01) |
3067 | channel_free(ssh, c); |
3068 | else |
3069 | c->flags |= CHAN_CLOSE_RCVD0x02; |
3070 | break; |
3071 | } |
3072 | sshbuf_free(b); |
3073 | return 1; |
3074 | } |
3075 | |
3076 | /* -- protocol input */ |
3077 | |
3078 | /* Parse a channel ID from the current packet */ |
3079 | static int |
3080 | channel_parse_id(struct ssh *ssh, const char *where, const char *what) |
3081 | { |
3082 | u_int32_t id; |
3083 | int r; |
3084 | |
3085 | if ((r = sshpkt_get_u32(ssh, &id)) != 0) { |
3086 | error_r(r, "%s: parse id", where)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3086 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: parse id", where); |
3087 | ssh_packet_disconnect(ssh, "Invalid %s message", what); |
3088 | } |
3089 | if (id > INT_MAX2147483647) { |
3090 | error_r(r, "%s: bad channel id %u", where, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3090 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: bad channel id %u", where, id); |
3091 | ssh_packet_disconnect(ssh, "Invalid %s channel id", what); |
3092 | } |
3093 | return (int)id; |
3094 | } |
3095 | |
3096 | /* Lookup a channel from an ID in the current packet */ |
3097 | static Channel * |
3098 | channel_from_packet_id(struct ssh *ssh, const char *where, const char *what) |
3099 | { |
3100 | int id = channel_parse_id(ssh, where, what); |
3101 | Channel *c; |
3102 | |
3103 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3104 | ssh_packet_disconnect(ssh, |
3105 | "%s packet referred to nonexistent channel %d", what, id); |
3106 | } |
3107 | return c; |
3108 | } |
3109 | |
3110 | int |
3111 | channel_input_data(int type, u_int32_t seq, struct ssh *ssh) |
3112 | { |
3113 | const u_char *data; |
3114 | size_t data_len, win_len; |
3115 | Channel *c = channel_from_packet_id(ssh, __func__, "data"); |
3116 | int r; |
3117 | |
3118 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3119 | return 0; |
3120 | |
3121 | /* Ignore any data for non-open channels (might happen on close) */ |
3122 | if (c->type != SSH_CHANNEL_OPEN4 && |
3123 | c->type != SSH_CHANNEL_RDYNAMIC_OPEN21 && |
3124 | c->type != SSH_CHANNEL_RDYNAMIC_FINISH22 && |
3125 | c->type != SSH_CHANNEL_X11_OPEN7) |
3126 | return 0; |
3127 | |
3128 | /* Get the data. */ |
3129 | if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || |
3130 | (r = sshpkt_get_end(ssh)) != 0) |
3131 | fatal_fr(r, "channel %i: get data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3131 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get data", c ->self); |
3132 | |
3133 | win_len = data_len; |
3134 | if (c->datagram) |
3135 | win_len += 4; /* string length header */ |
3136 | |
3137 | /* |
3138 | * The sending side reduces its window as it sends data, so we |
3139 | * must 'fake' consumption of the data in order to ensure that window |
3140 | * updates are sent back. Otherwise the connection might deadlock. |
3141 | */ |
3142 | if (c->ostate != CHAN_OUTPUT_OPEN0) { |
3143 | c->local_window -= win_len; |
3144 | c->local_consumed += win_len; |
3145 | return 0; |
3146 | } |
3147 | |
3148 | if (win_len > c->local_maxpacket) { |
3149 | logit("channel %d: rcvd big packet %zu, maxpack %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3150 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket) |
3150 | c->self, win_len, c->local_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3150 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket); |
3151 | return 0; |
3152 | } |
3153 | if (win_len > c->local_window) { |
3154 | logit("channel %d: rcvd too much data %zu, win %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3155 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u" , c->self, win_len, c->local_window) |
3155 | c->self, win_len, c->local_window)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3155 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u" , c->self, win_len, c->local_window); |
3156 | return 0; |
3157 | } |
3158 | c->local_window -= win_len; |
3159 | |
3160 | if (c->datagram) { |
3161 | if ((r = sshbuf_put_string(c->output, data, data_len)) != 0) |
3162 | fatal_fr(r, "channel %i: append datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3162 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append datagram" , c->self); |
3163 | } else if ((r = sshbuf_put(c->output, data, data_len)) != 0) |
3164 | fatal_fr(r, "channel %i: append data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3164 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append data" , c->self); |
3165 | |
3166 | return 0; |
3167 | } |
3168 | |
3169 | int |
3170 | channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh) |
3171 | { |
3172 | const u_char *data; |
3173 | size_t data_len; |
3174 | u_int32_t tcode; |
3175 | Channel *c = channel_from_packet_id(ssh, __func__, "extended data"); |
3176 | int r; |
3177 | |
3178 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3179 | return 0; |
3180 | if (c->type != SSH_CHANNEL_OPEN4) { |
3181 | logit("channel %d: ext data for non open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3181 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: ext data for non open" , c->self); |
3182 | return 0; |
3183 | } |
3184 | if (c->flags & CHAN_EOF_RCVD0x08) { |
3185 | if (ssh->compat & SSH_BUG_EXTEOF0x00200000) |
3186 | debug("channel %d: accepting ext data after eof",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3187 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self) |
3187 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3187 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self); |
3188 | else |
3189 | ssh_packet_disconnect(ssh, "Received extended_data " |
3190 | "after EOF on channel %d.", c->self); |
3191 | } |
3192 | |
3193 | if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) { |
3194 | error_fr(r, "parse tcode")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3194 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse tcode"); |
3195 | ssh_packet_disconnect(ssh, "Invalid extended_data message"); |
3196 | } |
3197 | if (c->efd == -1 || |
3198 | c->extended_usage != CHAN_EXTENDED_WRITE2 || |
3199 | tcode != SSH2_EXTENDED_DATA_STDERR1) { |
3200 | logit("channel %d: bad ext data", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: bad ext data" , c->self); |
3201 | return 0; |
3202 | } |
3203 | if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || |
3204 | (r = sshpkt_get_end(ssh)) != 0) { |
3205 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3205 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3206 | ssh_packet_disconnect(ssh, "Invalid extended_data message"); |
3207 | } |
3208 | |
3209 | if (data_len > c->local_window) { |
3210 | logit("channel %d: rcvd too much extended_data %zu, win %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3211 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window) |
3211 | c->self, data_len, c->local_window)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3211 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window); |
3212 | return 0; |
3213 | } |
3214 | debug2("channel %d: rcvd ext data %zu", c->self, data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3214 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd ext data %zu" , c->self, data_len); |
3215 | /* XXX sshpkt_getb? */ |
3216 | if ((r = sshbuf_put(c->extended, data, data_len)) != 0) |
3217 | error_fr(r, "append")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3217 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "append"); |
3218 | c->local_window -= data_len; |
3219 | return 0; |
3220 | } |
3221 | |
3222 | int |
3223 | channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh) |
3224 | { |
3225 | Channel *c = channel_from_packet_id(ssh, __func__, "ieof"); |
3226 | int r; |
3227 | |
3228 | if ((r = sshpkt_get_end(ssh)) != 0) { |
3229 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3229 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3230 | ssh_packet_disconnect(ssh, "Invalid ieof message"); |
3231 | } |
3232 | |
3233 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3234 | return 0; |
3235 | chan_rcvd_ieof(ssh, c); |
3236 | |
3237 | /* XXX force input close */ |
3238 | if (c->force_drain && c->istate == CHAN_INPUT_OPEN0) { |
3239 | debug("channel %d: FORCE input drain", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3239 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: FORCE input drain" , c->self); |
3240 | c->istate = CHAN_INPUT_WAIT_DRAIN1; |
3241 | if (sshbuf_len(c->input) == 0) |
3242 | chan_ibuf_empty(ssh, c); |
3243 | } |
3244 | return 0; |
3245 | } |
3246 | |
3247 | int |
3248 | channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh) |
3249 | { |
3250 | Channel *c = channel_from_packet_id(ssh, __func__, "oclose"); |
3251 | int r; |
3252 | |
3253 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3254 | return 0; |
3255 | if ((r = sshpkt_get_end(ssh)) != 0) { |
3256 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3256 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3257 | ssh_packet_disconnect(ssh, "Invalid oclose message"); |
3258 | } |
3259 | chan_rcvd_oclose(ssh, c); |
3260 | return 0; |
3261 | } |
3262 | |
3263 | int |
3264 | channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh) |
3265 | { |
3266 | Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation"); |
3267 | u_int32_t remote_window, remote_maxpacket; |
3268 | int r; |
3269 | |
3270 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3271 | return 0; |
3272 | if (c->type != SSH_CHANNEL_OPENING3) |
3273 | ssh_packet_disconnect(ssh, "Received open confirmation for " |
3274 | "non-opening channel %d.", c->self); |
3275 | /* |
3276 | * Record the remote channel number and mark that the channel |
3277 | * is now open. |
3278 | */ |
3279 | if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 || |
3280 | (r = sshpkt_get_u32(ssh, &remote_window)) != 0 || |
3281 | (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 || |
3282 | (r = sshpkt_get_end(ssh)) != 0) { |
3283 | error_fr(r, "window/maxpacket")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3283 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "window/maxpacket"); |
3284 | ssh_packet_disconnect(ssh, "Invalid open confirmation message"); |
3285 | } |
3286 | |
3287 | c->have_remote_id = 1; |
3288 | c->remote_window = remote_window; |
3289 | c->remote_maxpacket = remote_maxpacket; |
3290 | c->type = SSH_CHANNEL_OPEN4; |
3291 | if (c->open_confirm) { |
3292 | debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3292 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self); |
3293 | c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx); |
3294 | debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3294 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self); |
3295 | } |
3296 | debug2("channel %d: open confirm rwindow %u rmax %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3297 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket) |
3297 | c->remote_window, c->remote_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3297 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket); |
3298 | return 0; |
3299 | } |
3300 | |
3301 | static char * |
3302 | reason2txt(int reason) |
3303 | { |
3304 | switch (reason) { |
3305 | case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1: |
3306 | return "administratively prohibited"; |
3307 | case SSH2_OPEN_CONNECT_FAILED2: |
3308 | return "connect failed"; |
3309 | case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE3: |
3310 | return "unknown channel type"; |
3311 | case SSH2_OPEN_RESOURCE_SHORTAGE4: |
3312 | return "resource shortage"; |
3313 | } |
3314 | return "unknown reason"; |
3315 | } |
3316 | |
3317 | int |
3318 | channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh) |
3319 | { |
3320 | Channel *c = channel_from_packet_id(ssh, __func__, "open failure"); |
3321 | u_int32_t reason; |
3322 | char *msg = NULL((void *)0); |
3323 | int r; |
3324 | |
3325 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3326 | return 0; |
3327 | if (c->type != SSH_CHANNEL_OPENING3) |
3328 | ssh_packet_disconnect(ssh, "Received open failure for " |
3329 | "non-opening channel %d.", c->self); |
3330 | if ((r = sshpkt_get_u32(ssh, &reason)) != 0) { |
3331 | error_fr(r, "parse reason")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3331 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse reason"); |
3332 | ssh_packet_disconnect(ssh, "Invalid open failure message"); |
3333 | } |
3334 | /* skip language */ |
3335 | if ((r = sshpkt_get_cstring(ssh, &msg, NULL((void *)0))) != 0 || |
3336 | (r = sshpkt_get_string_direct(ssh, NULL((void *)0), NULL((void *)0))) != 0 || |
3337 | (r = sshpkt_get_end(ssh)) != 0) { |
3338 | error_fr(r, "parse msg/lang")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3338 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse msg/lang"); |
3339 | ssh_packet_disconnect(ssh, "Invalid open failure message"); |
3340 | } |
3341 | logit("channel %d: open failed: %s%s%s", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3342 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : "") |
3342 | reason2txt(reason), msg ? ": ": "", msg ? msg : "")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3342 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : ""); |
3343 | free(msg); |
3344 | if (c->open_confirm) { |
3345 | debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3345 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self); |
3346 | c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx); |
3347 | debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3347 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self); |
3348 | } |
3349 | /* Schedule the channel for cleanup/deletion. */ |
3350 | chan_mark_dead(ssh, c); |
3351 | return 0; |
3352 | } |
3353 | |
3354 | int |
3355 | channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) |
3356 | { |
3357 | int id = channel_parse_id(ssh, __func__, "window adjust"); |
3358 | Channel *c; |
3359 | u_int32_t adjust; |
3360 | u_int new_rwin; |
3361 | int r; |
3362 | |
3363 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3364 | logit("Received window adjust for non-open channel %d.", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3364 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received window adjust for non-open channel %d." , id); |
3365 | return 0; |
3366 | } |
3367 | |
3368 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3369 | return 0; |
3370 | if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 || |
3371 | (r = sshpkt_get_end(ssh)) != 0) { |
3372 | error_fr(r, "parse adjust")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3372 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse adjust"); |
3373 | ssh_packet_disconnect(ssh, "Invalid window adjust message"); |
3374 | } |
3375 | debug2("channel %d: rcvd adjust %u", c->self, adjust)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3375 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd adjust %u" , c->self, adjust); |
3376 | if ((new_rwin = c->remote_window + adjust) < c->remote_window) { |
3377 | fatal("channel %d: adjust %u overflows remote window %u",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3378 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window) |
3378 | c->self, adjust, c->remote_window)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3378 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window); |
3379 | } |
3380 | c->remote_window = new_rwin; |
3381 | return 0; |
3382 | } |
3383 | |
3384 | int |
3385 | channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh) |
3386 | { |
3387 | int id = channel_parse_id(ssh, __func__, "status confirm"); |
3388 | Channel *c; |
3389 | struct channel_confirm *cc; |
3390 | |
3391 | /* Reset keepalive timeout */ |
3392 | ssh_packet_set_alive_timeouts(ssh, 0); |
3393 | |
3394 | debug2_f("type %d id %d", type, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3394 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "type %d id %d", type, id); |
3395 | |
3396 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3397 | logit_f("%d: unknown", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3397 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown", id); |
3398 | return 0; |
3399 | } |
3400 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3401 | return 0; |
3402 | if (sshpkt_get_end(ssh) != 0) |
3403 | ssh_packet_disconnect(ssh, "Invalid status confirm message"); |
3404 | if ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) == NULL((void *)0)) |
3405 | return 0; |
3406 | cc->cb(ssh, type, c, cc->ctx); |
3407 | TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void *)0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; *(cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0); |
3408 | freezero(cc, sizeof(*cc)); |
3409 | return 0; |
3410 | } |
3411 | |
3412 | /* -- tcp forwarding */ |
3413 | |
3414 | void |
3415 | channel_set_af(struct ssh *ssh, int af) |
3416 | { |
3417 | ssh->chanctxt->IPv4or6 = af; |
3418 | } |
3419 | |
3420 | |
3421 | /* |
3422 | * Determine whether or not a port forward listens to loopback, the |
3423 | * specified address or wildcard. On the client, a specified bind |
3424 | * address will always override gateway_ports. On the server, a |
3425 | * gateway_ports of 1 (``yes'') will override the client's specification |
3426 | * and force a wildcard bind, whereas a value of 2 (``clientspecified'') |
3427 | * will bind to whatever address the client asked for. |
3428 | * |
3429 | * Special-case listen_addrs are: |
3430 | * |
3431 | * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR |
3432 | * "" (empty string), "*" -> wildcard v4/v6 |
3433 | * "localhost" -> loopback v4/v6 |
3434 | * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set |
3435 | */ |
3436 | static const char * |
3437 | channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp, |
3438 | int is_client, struct ForwardOptions *fwd_opts) |
3439 | { |
3440 | const char *addr = NULL((void *)0); |
3441 | int wildcard = 0; |
3442 | |
3443 | if (listen_addr == NULL((void *)0)) { |
3444 | /* No address specified: default to gateway_ports setting */ |
3445 | if (fwd_opts->gateway_ports) |
3446 | wildcard = 1; |
3447 | } else if (fwd_opts->gateway_ports || is_client) { |
3448 | if (((ssh->compat & SSH_OLD_FORWARD_ADDR0x01000000) && |
3449 | strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || |
3450 | *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || |
3451 | (!is_client && fwd_opts->gateway_ports == 1)) { |
3452 | wildcard = 1; |
3453 | /* |
3454 | * Notify client if they requested a specific listen |
3455 | * address and it was overridden. |
3456 | */ |
3457 | if (*listen_addr != '\0' && |
3458 | strcmp(listen_addr, "0.0.0.0") != 0 && |
3459 | strcmp(listen_addr, "*") != 0) { |
3460 | ssh_packet_send_debug(ssh, |
3461 | "Forwarding listen address " |
3462 | "\"%s\" overridden by server " |
3463 | "GatewayPorts", listen_addr); |
3464 | } |
3465 | } else if (strcmp(listen_addr, "localhost") != 0 || |
3466 | strcmp(listen_addr, "127.0.0.1") == 0 || |
3467 | strcmp(listen_addr, "::1") == 0) { |
3468 | /* |
3469 | * Accept explicit localhost address when |
3470 | * GatewayPorts=yes. The "localhost" hostname is |
3471 | * deliberately skipped here so it will listen on all |
3472 | * available local address families. |
3473 | */ |
3474 | addr = listen_addr; |
3475 | } |
3476 | } else if (strcmp(listen_addr, "127.0.0.1") == 0 || |
3477 | strcmp(listen_addr, "::1") == 0) { |
3478 | /* |
3479 | * If a specific IPv4/IPv6 localhost address has been |
3480 | * requested then accept it even if gateway_ports is in |
3481 | * effect. This allows the client to prefer IPv4 or IPv6. |
3482 | */ |
3483 | addr = listen_addr; |
3484 | } |
3485 | if (wildcardp != NULL((void *)0)) |
3486 | *wildcardp = wildcard; |
3487 | return addr; |
3488 | } |
3489 | |
3490 | static int |
3491 | channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, |
3492 | struct Forward *fwd, int *allocated_listen_port, |
3493 | struct ForwardOptions *fwd_opts) |
3494 | { |
3495 | Channel *c; |
3496 | int sock, r, success = 0, wildcard = 0, is_client; |
3497 | struct addrinfo hints, *ai, *aitop; |
3498 | const char *host, *addr; |
3499 | char ntop[NI_MAXHOST256], strport[NI_MAXSERV32]; |
3500 | in_port_t *lport_p; |
3501 | |
3502 | is_client = (type == SSH_CHANNEL_PORT_LISTENER2); |
3503 | |
3504 | if (is_client && fwd->connect_path != NULL((void *)0)) { |
3505 | host = fwd->connect_path; |
3506 | } else { |
3507 | host = (type == SSH_CHANNEL_RPORT_LISTENER11) ? |
3508 | fwd->listen_host : fwd->connect_host; |
3509 | if (host == NULL((void *)0)) { |
3510 | error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3510 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." ); |
3511 | return 0; |
3512 | } |
3513 | if (strlen(host) >= NI_MAXHOST256) { |
3514 | error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3514 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." ); |
3515 | return 0; |
3516 | } |
3517 | } |
3518 | |
3519 | /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ |
3520 | addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard, |
3521 | is_client, fwd_opts); |
3522 | debug3_f("type %d wildcard %d addr %s", type, wildcard,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3523 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void *)0)) ? "NULL" : addr) |
3523 | (addr == NULL) ? "NULL" : addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3523 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void *)0)) ? "NULL" : addr); |
3524 | |
3525 | /* |
3526 | * getaddrinfo returns a loopback address if the hostname is |
3527 | * set to NULL and hints.ai_flags is not AI_PASSIVE |
3528 | */ |
3529 | memset(&hints, 0, sizeof(hints)); |
3530 | hints.ai_family = ssh->chanctxt->IPv4or6; |
3531 | hints.ai_flags = wildcard ? AI_PASSIVE1 : 0; |
3532 | hints.ai_socktype = SOCK_STREAM1; |
3533 | snprintf(strport, sizeof strport, "%d", fwd->listen_port); |
3534 | if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { |
3535 | if (addr == NULL((void *)0)) { |
3536 | /* This really shouldn't happen */ |
3537 | ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s", |
3538 | ssh_gai_strerror(r)); |
3539 | } else { |
3540 | error_f("getaddrinfo(%.64s): %s", addr,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3541 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r)) |
3541 | ssh_gai_strerror(r))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3541 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r)); |
3542 | } |
3543 | return 0; |
3544 | } |
3545 | if (allocated_listen_port != NULL((void *)0)) |
3546 | *allocated_listen_port = 0; |
3547 | for (ai = aitop; ai; ai = ai->ai_next) { |
3548 | switch (ai->ai_family) { |
3549 | case AF_INET2: |
3550 | lport_p = &((struct sockaddr_in *)ai->ai_addr)-> |
3551 | sin_port; |
3552 | break; |
3553 | case AF_INET624: |
3554 | lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> |
3555 | sin6_port; |
3556 | break; |
3557 | default: |
3558 | continue; |
3559 | } |
3560 | /* |
3561 | * If allocating a port for -R forwards, then use the |
3562 | * same port for all address families. |
3563 | */ |
3564 | if (type == SSH_CHANNEL_RPORT_LISTENER11 && |
3565 | fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) && |
3566 | *allocated_listen_port > 0) |
3567 | *lport_p = htons(*allocated_listen_port)(__uint16_t)(__builtin_constant_p(*allocated_listen_port) ? ( __uint16_t)(((__uint16_t)(*allocated_listen_port) & 0xffU ) << 8 | ((__uint16_t)(*allocated_listen_port) & 0xff00U ) >> 8) : __swap16md(*allocated_listen_port)); |
3568 | |
3569 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), |
3570 | strport, sizeof(strport), |
3571 | NI_NUMERICHOST1|NI_NUMERICSERV2) != 0) { |
3572 | error_f("getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3572 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getnameinfo failed"); |
3573 | continue; |
3574 | } |
3575 | /* Create a port to listen for the host. */ |
3576 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); |
3577 | if (sock == -1) { |
3578 | /* this is no error since kernel may not support ipv6 */ |
3579 | verbose("socket [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3580 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3580 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3580 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3581 | continue; |
3582 | } |
3583 | |
3584 | set_reuseaddr(sock); |
3585 | |
3586 | debug("Local forwarding listening on %s port %s.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3587 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport) |
3587 | ntop, strport)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3587 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport); |
3588 | |
3589 | /* Bind the socket to the address. */ |
3590 | if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
3591 | /* |
3592 | * address can be in if use ipv6 address is |
3593 | * already bound |
3594 | */ |
3595 | verbose("bind [%s]:%s: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3596 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3596 | ntop, strport, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3596 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3597 | close(sock); |
3598 | continue; |
3599 | } |
3600 | /* Start listening for connections on the socket. */ |
3601 | if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) { |
3602 | error("listen [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3603 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3603 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3603 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3604 | close(sock); |
3605 | continue; |
3606 | } |
3607 | |
3608 | /* |
3609 | * fwd->listen_port == 0 requests a dynamically allocated port - |
3610 | * record what we got. |
3611 | */ |
3612 | if (type == SSH_CHANNEL_RPORT_LISTENER11 && |
3613 | fwd->listen_port == 0 && |
3614 | allocated_listen_port != NULL((void *)0) && |
3615 | *allocated_listen_port == 0) { |
3616 | *allocated_listen_port = get_local_port(sock); |
3617 | debug("Allocated listen port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3618 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Allocated listen port %d" , *allocated_listen_port) |
3618 | *allocated_listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3618 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Allocated listen port %d" , *allocated_listen_port); |
3619 | } |
3620 | |
3621 | /* Allocate a channel number for the socket. */ |
3622 | c = channel_new(ssh, "port listener", type, sock, sock, -1, |
3623 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
3624 | 0, "port listener", 1); |
3625 | c->path = xstrdup(host); |
3626 | c->host_port = fwd->connect_port; |
3627 | c->listening_addr = addr == NULL((void *)0) ? NULL((void *)0) : xstrdup(addr); |
3628 | if (fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) && |
3629 | !(ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000)) |
3630 | c->listening_port = *allocated_listen_port; |
3631 | else |
3632 | c->listening_port = fwd->listen_port; |
3633 | success = 1; |
3634 | } |
3635 | if (success == 0) |
3636 | error_f("cannot listen to port: %d", fwd->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3636 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "cannot listen to port: %d" , fwd->listen_port); |
3637 | freeaddrinfo(aitop); |
3638 | return success; |
3639 | } |
3640 | |
3641 | static int |
3642 | channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type, |
3643 | struct Forward *fwd, struct ForwardOptions *fwd_opts) |
3644 | { |
3645 | struct sockaddr_un sunaddr; |
3646 | const char *path; |
3647 | Channel *c; |
3648 | int port, sock; |
3649 | mode_t omask; |
3650 | |
3651 | switch (type) { |
3652 | case SSH_CHANNEL_UNIX_LISTENER18: |
3653 | if (fwd->connect_path != NULL((void *)0)) { |
3654 | if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { |
3655 | error("Local connecting path too long: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3656 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path) |
3656 | fwd->connect_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3656 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path); |
3657 | return 0; |
3658 | } |
3659 | path = fwd->connect_path; |
3660 | port = PORT_STREAMLOCAL-2; |
3661 | } else { |
3662 | if (fwd->connect_host == NULL((void *)0)) { |
3663 | error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3663 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." ); |
3664 | return 0; |
3665 | } |
3666 | if (strlen(fwd->connect_host) >= NI_MAXHOST256) { |
3667 | error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3667 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." ); |
3668 | return 0; |
3669 | } |
3670 | path = fwd->connect_host; |
3671 | port = fwd->connect_port; |
3672 | } |
3673 | break; |
3674 | case SSH_CHANNEL_RUNIX_LISTENER19: |
3675 | path = fwd->listen_path; |
3676 | port = PORT_STREAMLOCAL-2; |
3677 | break; |
3678 | default: |
3679 | error_f("unexpected channel type %d", type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3679 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unexpected channel type %d" , type); |
3680 | return 0; |
3681 | } |
3682 | |
3683 | if (fwd->listen_path == NULL((void *)0)) { |
3684 | error("No forward path name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3684 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward path name." ); |
3685 | return 0; |
3686 | } |
3687 | if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { |
3688 | error("Local listening path too long: %s", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3688 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local listening path too long: %s" , fwd->listen_path); |
3689 | return 0; |
3690 | } |
3691 | |
3692 | debug3_f("type %d path %s", type, fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3692 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d path %s", type , fwd->listen_path); |
3693 | |
3694 | /* Start a Unix domain listener. */ |
3695 | omask = umask(fwd_opts->streamlocal_bind_mask); |
3696 | sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG128, |
3697 | fwd_opts->streamlocal_bind_unlink); |
3698 | umask(omask); |
3699 | if (sock < 0) |
3700 | return 0; |
3701 | |
3702 | debug("Local forwarding listening on path %s.", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3702 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on path %s." , fwd->listen_path); |
3703 | |
3704 | /* Allocate a channel number for the socket. */ |
3705 | c = channel_new(ssh, "unix listener", type, sock, sock, -1, |
3706 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
3707 | 0, "unix listener", 1); |
3708 | c->path = xstrdup(path); |
3709 | c->host_port = port; |
3710 | c->listening_port = PORT_STREAMLOCAL-2; |
3711 | c->listening_addr = xstrdup(fwd->listen_path); |
3712 | return 1; |
3713 | } |
3714 | |
3715 | static int |
3716 | channel_cancel_rport_listener_tcpip(struct ssh *ssh, |
3717 | const char *host, u_short port) |
3718 | { |
3719 | u_int i; |
3720 | int found = 0; |
3721 | |
3722 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
3723 | Channel *c = ssh->chanctxt->channels[i]; |
3724 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_RPORT_LISTENER11) |
3725 | continue; |
3726 | if (strcmp(c->path, host) == 0 && c->listening_port == port) { |
3727 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3727 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
3728 | channel_free(ssh, c); |
3729 | found = 1; |
3730 | } |
3731 | } |
3732 | |
3733 | return found; |
3734 | } |
3735 | |
3736 | static int |
3737 | channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path) |
3738 | { |
3739 | u_int i; |
3740 | int found = 0; |
3741 | |
3742 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
3743 | Channel *c = ssh->chanctxt->channels[i]; |
3744 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_RUNIX_LISTENER19) |
3745 | continue; |
3746 | if (c->path == NULL((void *)0)) |
3747 | continue; |
3748 | if (strcmp(c->path, path) == 0) { |
3749 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3749 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
3750 | channel_free(ssh, c); |
3751 | found = 1; |
3752 | } |
3753 | } |
3754 | |
3755 | return found; |
3756 | } |
3757 | |
3758 | int |
3759 | channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd) |
3760 | { |
3761 | if (fwd->listen_path != NULL((void *)0)) { |
3762 | return channel_cancel_rport_listener_streamlocal(ssh, |
3763 | fwd->listen_path); |
3764 | } else { |
3765 | return channel_cancel_rport_listener_tcpip(ssh, |
3766 | fwd->listen_host, fwd->listen_port); |
3767 | } |
3768 | } |
3769 | |
3770 | static int |
3771 | channel_cancel_lport_listener_tcpip(struct ssh *ssh, |
3772 | const char *lhost, u_short lport, int cport, |
3773 | struct ForwardOptions *fwd_opts) |
3774 | { |
3775 | u_int i; |
3776 | int found = 0; |
3777 | const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL((void *)0), 1, fwd_opts); |
3778 | |
3779 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
3780 | Channel *c = ssh->chanctxt->channels[i]; |
3781 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_PORT_LISTENER2) |
3782 | continue; |
3783 | if (c->listening_port != lport) |
3784 | continue; |
3785 | if (cport == CHANNEL_CANCEL_PORT_STATIC-1) { |
3786 | /* skip dynamic forwardings */ |
3787 | if (c->host_port == 0) |
3788 | continue; |
3789 | } else { |
3790 | if (c->host_port != cport) |
3791 | continue; |
3792 | } |
3793 | if ((c->listening_addr == NULL((void *)0) && addr != NULL((void *)0)) || |
3794 | (c->listening_addr != NULL((void *)0) && addr == NULL((void *)0))) |
3795 | continue; |
3796 | if (addr == NULL((void *)0) || strcmp(c->listening_addr, addr) == 0) { |
3797 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3797 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
3798 | channel_free(ssh, c); |
3799 | found = 1; |
3800 | } |
3801 | } |
3802 | |
3803 | return found; |
3804 | } |
3805 | |
3806 | static int |
3807 | channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path) |
3808 | { |
3809 | u_int i; |
3810 | int found = 0; |
3811 | |
3812 | if (path == NULL((void *)0)) { |
3813 | error_f("no path specified.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3813 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no path specified."); |
3814 | return 0; |
3815 | } |
3816 | |
3817 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
3818 | Channel *c = ssh->chanctxt->channels[i]; |
3819 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_UNIX_LISTENER18) |
3820 | continue; |
3821 | if (c->listening_addr == NULL((void *)0)) |
3822 | continue; |
3823 | if (strcmp(c->listening_addr, path) == 0) { |
3824 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3824 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
3825 | channel_free(ssh, c); |
3826 | found = 1; |
3827 | } |
3828 | } |
3829 | |
3830 | return found; |
3831 | } |
3832 | |
3833 | int |
3834 | channel_cancel_lport_listener(struct ssh *ssh, |
3835 | struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) |
3836 | { |
3837 | if (fwd->listen_path != NULL((void *)0)) { |
3838 | return channel_cancel_lport_listener_streamlocal(ssh, |
3839 | fwd->listen_path); |
3840 | } else { |
3841 | return channel_cancel_lport_listener_tcpip(ssh, |
3842 | fwd->listen_host, fwd->listen_port, cport, fwd_opts); |
3843 | } |
3844 | } |
3845 | |
3846 | /* protocol local port fwd, used by ssh */ |
3847 | int |
3848 | channel_setup_local_fwd_listener(struct ssh *ssh, |
3849 | struct Forward *fwd, struct ForwardOptions *fwd_opts) |
3850 | { |
3851 | if (fwd->listen_path != NULL((void *)0)) { |
3852 | return channel_setup_fwd_listener_streamlocal(ssh, |
3853 | SSH_CHANNEL_UNIX_LISTENER18, fwd, fwd_opts); |
3854 | } else { |
3855 | return channel_setup_fwd_listener_tcpip(ssh, |
3856 | SSH_CHANNEL_PORT_LISTENER2, fwd, NULL((void *)0), fwd_opts); |
3857 | } |
3858 | } |
3859 | |
3860 | /* Matches a remote forwarding permission against a requested forwarding */ |
3861 | static int |
3862 | remote_open_match(struct permission *allowed_open, struct Forward *fwd) |
3863 | { |
3864 | int ret; |
3865 | char *lhost; |
3866 | |
3867 | /* XXX add ACLs for streamlocal */ |
3868 | if (fwd->listen_path != NULL((void *)0)) |
3869 | return 1; |
3870 | |
3871 | if (fwd->listen_host == NULL((void *)0) || allowed_open->listen_host == NULL((void *)0)) |
3872 | return 0; |
3873 | |
3874 | if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT0 && |
3875 | allowed_open->listen_port != fwd->listen_port) |
3876 | return 0; |
3877 | |
3878 | /* Match hostnames case-insensitively */ |
3879 | lhost = xstrdup(fwd->listen_host); |
3880 | lowercase(lhost); |
3881 | ret = match_pattern(lhost, allowed_open->listen_host); |
3882 | free(lhost); |
3883 | |
3884 | return ret; |
3885 | } |
3886 | |
3887 | /* Checks whether a requested remote forwarding is permitted */ |
3888 | static int |
3889 | check_rfwd_permission(struct ssh *ssh, struct Forward *fwd) |
3890 | { |
3891 | struct ssh_channels *sc = ssh->chanctxt; |
3892 | struct permission_set *pset = &sc->remote_perms; |
3893 | u_int i, permit, permit_adm = 1; |
3894 | struct permission *perm; |
3895 | |
3896 | /* XXX apply GatewayPorts override before checking? */ |
3897 | |
3898 | permit = pset->all_permitted; |
3899 | if (!permit) { |
3900 | for (i = 0; i < pset->num_permitted_user; i++) { |
3901 | perm = &pset->permitted_user[i]; |
3902 | if (remote_open_match(perm, fwd)) { |
3903 | permit = 1; |
3904 | break; |
3905 | } |
3906 | } |
3907 | } |
3908 | |
3909 | if (pset->num_permitted_admin > 0) { |
3910 | permit_adm = 0; |
3911 | for (i = 0; i < pset->num_permitted_admin; i++) { |
3912 | perm = &pset->permitted_admin[i]; |
3913 | if (remote_open_match(perm, fwd)) { |
3914 | permit_adm = 1; |
3915 | break; |
3916 | } |
3917 | } |
3918 | } |
3919 | |
3920 | return permit && permit_adm; |
3921 | } |
3922 | |
3923 | /* protocol v2 remote port fwd, used by sshd */ |
3924 | int |
3925 | channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, |
3926 | int *allocated_listen_port, struct ForwardOptions *fwd_opts) |
3927 | { |
3928 | if (!check_rfwd_permission(ssh, fwd)) { |
3929 | ssh_packet_send_debug(ssh, "port forwarding refused"); |
3930 | if (fwd->listen_path != NULL((void *)0)) |
3931 | /* XXX always allowed, see remote_open_match() */ |
3932 | logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3936 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
3933 | "remote forward to path \"%.100s\", "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3936 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
3934 | "but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3936 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
3935 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3936 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
3936 | fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3936 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ); |
3937 | else if(fwd->listen_host != NULL((void *)0)) |
3938 | logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3942 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
3939 | "remote forward to host %.100s port %d, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3942 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
3940 | "but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3942 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
3941 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3942 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
3942 | fwd->listen_host, fwd->listen_port )sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3942 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port); |
3943 | else |
3944 | logit("Received request from %.100s port %d to remote "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3946 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)) |
3945 | "forward, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3946 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)) |
3946 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3946 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)); |
3947 | return 0; |
3948 | } |
3949 | if (fwd->listen_path != NULL((void *)0)) { |
3950 | return channel_setup_fwd_listener_streamlocal(ssh, |
3951 | SSH_CHANNEL_RUNIX_LISTENER19, fwd, fwd_opts); |
3952 | } else { |
3953 | return channel_setup_fwd_listener_tcpip(ssh, |
3954 | SSH_CHANNEL_RPORT_LISTENER11, fwd, allocated_listen_port, |
3955 | fwd_opts); |
3956 | } |
3957 | } |
3958 | |
3959 | /* |
3960 | * Translate the requested rfwd listen host to something usable for |
3961 | * this server. |
3962 | */ |
3963 | static const char * |
3964 | channel_rfwd_bind_host(const char *listen_host) |
3965 | { |
3966 | if (listen_host == NULL((void *)0)) { |
3967 | return "localhost"; |
3968 | } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { |
3969 | return ""; |
3970 | } else |
3971 | return listen_host; |
3972 | } |
3973 | |
3974 | /* |
3975 | * Initiate forwarding of connections to port "port" on remote host through |
3976 | * the secure channel to host:port from local side. |
3977 | * Returns handle (index) for updating the dynamic listen port with |
3978 | * channel_update_permission(). |
3979 | */ |
3980 | int |
3981 | channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) |
3982 | { |
3983 | int r, success = 0, idx = -1; |
3984 | char *host_to_connect, *listen_host, *listen_path; |
3985 | int port_to_connect, listen_port; |
3986 | |
3987 | /* Send the forward request to the remote side. */ |
3988 | if (fwd->listen_path != NULL((void *)0)) { |
3989 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
3990 | (r = sshpkt_put_cstring(ssh, |
3991 | "streamlocal-forward@openssh.com")) != 0 || |
3992 | (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ |
3993 | (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 || |
3994 | (r = sshpkt_send(ssh)) != 0 || |
3995 | (r = ssh_packet_write_wait(ssh)) != 0) |
3996 | fatal_fr(r, "request streamlocal")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3996 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request streamlocal"); |
3997 | } else { |
3998 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
3999 | (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 || |
4000 | (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ |
4001 | (r = sshpkt_put_cstring(ssh, |
4002 | channel_rfwd_bind_host(fwd->listen_host))) != 0 || |
4003 | (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 || |
4004 | (r = sshpkt_send(ssh)) != 0 || |
4005 | (r = ssh_packet_write_wait(ssh)) != 0) |
4006 | fatal_fr(r, "request tcpip-forward")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4006 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request tcpip-forward"); |
4007 | } |
4008 | /* Assume that server accepts the request */ |
4009 | success = 1; |
4010 | if (success) { |
4011 | /* Record that connection to this host/port is permitted. */ |
4012 | host_to_connect = listen_host = listen_path = NULL((void *)0); |
4013 | port_to_connect = listen_port = 0; |
Value stored to 'port_to_connect' is never read | |
4014 | if (fwd->connect_path != NULL((void *)0)) { |
4015 | host_to_connect = xstrdup(fwd->connect_path); |
4016 | port_to_connect = PORT_STREAMLOCAL-2; |
4017 | } else { |
4018 | host_to_connect = xstrdup(fwd->connect_host); |
4019 | port_to_connect = fwd->connect_port; |
4020 | } |
4021 | if (fwd->listen_path != NULL((void *)0)) { |
4022 | listen_path = xstrdup(fwd->listen_path); |
4023 | listen_port = PORT_STREAMLOCAL-2; |
4024 | } else { |
4025 | if (fwd->listen_host != NULL((void *)0)) |
4026 | listen_host = xstrdup(fwd->listen_host); |
4027 | listen_port = fwd->listen_port; |
4028 | } |
4029 | idx = permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1), |
4030 | host_to_connect, port_to_connect, |
4031 | listen_host, listen_path, listen_port, NULL((void *)0)); |
4032 | } |
4033 | return idx; |
4034 | } |
4035 | |
4036 | static int |
4037 | open_match(struct permission *allowed_open, const char *requestedhost, |
4038 | int requestedport) |
4039 | { |
4040 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4041 | return 0; |
4042 | if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT0 && |
4043 | allowed_open->port_to_connect != requestedport) |
4044 | return 0; |
4045 | if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST"*") != 0 && |
4046 | strcmp(allowed_open->host_to_connect, requestedhost) != 0) |
4047 | return 0; |
4048 | return 1; |
4049 | } |
4050 | |
4051 | /* |
4052 | * Note that in the listen host/port case |
4053 | * we don't support FWD_PERMIT_ANY_PORT and |
4054 | * need to translate between the configured-host (listen_host) |
4055 | * and what we've sent to the remote server (channel_rfwd_bind_host) |
4056 | */ |
4057 | static int |
4058 | open_listen_match_tcpip(struct permission *allowed_open, |
4059 | const char *requestedhost, u_short requestedport, int translate) |
4060 | { |
4061 | const char *allowed_host; |
4062 | |
4063 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4064 | return 0; |
4065 | if (allowed_open->listen_port != requestedport) |
4066 | return 0; |
4067 | if (!translate && allowed_open->listen_host == NULL((void *)0) && |
4068 | requestedhost == NULL((void *)0)) |
4069 | return 1; |
4070 | allowed_host = translate ? |
4071 | channel_rfwd_bind_host(allowed_open->listen_host) : |
4072 | allowed_open->listen_host; |
4073 | if (allowed_host == NULL((void *)0) || requestedhost == NULL((void *)0) || |
4074 | strcmp(allowed_host, requestedhost) != 0) |
4075 | return 0; |
4076 | return 1; |
4077 | } |
4078 | |
4079 | static int |
4080 | open_listen_match_streamlocal(struct permission *allowed_open, |
4081 | const char *requestedpath) |
4082 | { |
4083 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4084 | return 0; |
4085 | if (allowed_open->listen_port != PORT_STREAMLOCAL-2) |
4086 | return 0; |
4087 | if (allowed_open->listen_path == NULL((void *)0) || |
4088 | strcmp(allowed_open->listen_path, requestedpath) != 0) |
4089 | return 0; |
4090 | return 1; |
4091 | } |
4092 | |
4093 | /* |
4094 | * Request cancellation of remote forwarding of connection host:port from |
4095 | * local side. |
4096 | */ |
4097 | static int |
4098 | channel_request_rforward_cancel_tcpip(struct ssh *ssh, |
4099 | const char *host, u_short port) |
4100 | { |
4101 | struct ssh_channels *sc = ssh->chanctxt; |
4102 | struct permission_set *pset = &sc->local_perms; |
4103 | int r; |
4104 | u_int i; |
4105 | struct permission *perm = NULL((void *)0); |
4106 | |
4107 | for (i = 0; i < pset->num_permitted_user; i++) { |
4108 | perm = &pset->permitted_user[i]; |
4109 | if (open_listen_match_tcpip(perm, host, port, 0)) |
4110 | break; |
4111 | perm = NULL((void *)0); |
4112 | } |
4113 | if (perm == NULL((void *)0)) { |
4114 | debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4114 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" ); |
4115 | return -1; |
4116 | } |
4117 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4118 | (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 || |
4119 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ |
4120 | (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 || |
4121 | (r = sshpkt_put_u32(ssh, port)) != 0 || |
4122 | (r = sshpkt_send(ssh)) != 0) |
4123 | fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4123 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel"); |
4124 | |
4125 | fwd_perm_clear(perm); /* unregister */ |
4126 | |
4127 | return 0; |
4128 | } |
4129 | |
4130 | /* |
4131 | * Request cancellation of remote forwarding of Unix domain socket |
4132 | * path from local side. |
4133 | */ |
4134 | static int |
4135 | channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path) |
4136 | { |
4137 | struct ssh_channels *sc = ssh->chanctxt; |
4138 | struct permission_set *pset = &sc->local_perms; |
4139 | int r; |
4140 | u_int i; |
4141 | struct permission *perm = NULL((void *)0); |
4142 | |
4143 | for (i = 0; i < pset->num_permitted_user; i++) { |
4144 | perm = &pset->permitted_user[i]; |
4145 | if (open_listen_match_streamlocal(perm, path)) |
4146 | break; |
4147 | perm = NULL((void *)0); |
4148 | } |
4149 | if (perm == NULL((void *)0)) { |
4150 | debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4150 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" ); |
4151 | return -1; |
4152 | } |
4153 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4154 | (r = sshpkt_put_cstring(ssh, |
4155 | "cancel-streamlocal-forward@openssh.com")) != 0 || |
4156 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ |
4157 | (r = sshpkt_put_cstring(ssh, path)) != 0 || |
4158 | (r = sshpkt_send(ssh)) != 0) |
4159 | fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4159 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel"); |
4160 | |
4161 | fwd_perm_clear(perm); /* unregister */ |
4162 | |
4163 | return 0; |
4164 | } |
4165 | |
4166 | /* |
4167 | * Request cancellation of remote forwarding of a connection from local side. |
4168 | */ |
4169 | int |
4170 | channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd) |
4171 | { |
4172 | if (fwd->listen_path != NULL((void *)0)) { |
4173 | return channel_request_rforward_cancel_streamlocal(ssh, |
4174 | fwd->listen_path); |
4175 | } else { |
4176 | return channel_request_rforward_cancel_tcpip(ssh, |
4177 | fwd->listen_host, |
4178 | fwd->listen_port ? fwd->listen_port : fwd->allocated_port); |
4179 | } |
4180 | } |
4181 | |
4182 | /* |
4183 | * Permits opening to any host/port if permitted_user[] is empty. This is |
4184 | * usually called by the server, because the user could connect to any port |
4185 | * anyway, and the server has no way to know but to trust the client anyway. |
4186 | */ |
4187 | void |
4188 | channel_permit_all(struct ssh *ssh, int where) |
4189 | { |
4190 | struct permission_set *pset = permission_set_get(ssh, where); |
4191 | |
4192 | if (pset->num_permitted_user == 0) |
4193 | pset->all_permitted = 1; |
4194 | } |
4195 | |
4196 | /* |
4197 | * Permit the specified host/port for forwarding. |
4198 | */ |
4199 | void |
4200 | channel_add_permission(struct ssh *ssh, int who, int where, |
4201 | char *host, int port) |
4202 | { |
4203 | int local = where == FORWARD_LOCAL(1<<1); |
4204 | struct permission_set *pset = permission_set_get(ssh, where); |
4205 | |
4206 | debug("allow %s forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4207 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port) |
4207 | fwd_ident(who, where), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4207 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port); |
4208 | /* |
4209 | * Remote forwards set listen_host/port, local forwards set |
4210 | * host/port_to_connect. |
4211 | */ |
4212 | permission_set_add(ssh, who, where, |
4213 | local ? host : 0, local ? port : 0, |
4214 | local ? NULL((void *)0) : host, NULL((void *)0), local ? 0 : port, NULL((void *)0)); |
4215 | pset->all_permitted = 0; |
4216 | } |
4217 | |
4218 | /* |
4219 | * Administratively disable forwarding. |
4220 | */ |
4221 | void |
4222 | channel_disable_admin(struct ssh *ssh, int where) |
4223 | { |
4224 | channel_clear_permission(ssh, FORWARD_ADM0x100, where); |
4225 | permission_set_add(ssh, FORWARD_ADM0x100, where, |
4226 | NULL((void *)0), 0, NULL((void *)0), NULL((void *)0), 0, NULL((void *)0)); |
4227 | } |
4228 | |
4229 | /* |
4230 | * Clear a list of permitted opens. |
4231 | */ |
4232 | void |
4233 | channel_clear_permission(struct ssh *ssh, int who, int where) |
4234 | { |
4235 | struct permission **permp; |
4236 | u_int *npermp; |
4237 | |
4238 | permission_set_get_array(ssh, who, where, &permp, &npermp); |
4239 | *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp)); |
4240 | *npermp = 0; |
4241 | } |
4242 | |
4243 | /* |
4244 | * Update the listen port for a dynamic remote forward, after |
4245 | * the actual 'newport' has been allocated. If 'newport' < 0 is |
4246 | * passed then they entry will be invalidated. |
4247 | */ |
4248 | void |
4249 | channel_update_permission(struct ssh *ssh, int idx, int newport) |
4250 | { |
4251 | struct permission_set *pset = &ssh->chanctxt->local_perms; |
4252 | |
4253 | if (idx < 0 || (u_int)idx >= pset->num_permitted_user) { |
4254 | debug_f("index out of range: %d num_permitted_user %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4255 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user) |
4255 | idx, pset->num_permitted_user)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4255 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user); |
4256 | return; |
4257 | } |
4258 | debug("%s allowed port %d for forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4262 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4259 | newport > 0 ? "Updating" : "Removing",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4262 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4260 | newport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4262 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4261 | pset->permitted_user[idx].host_to_connect,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4262 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4262 | pset->permitted_user[idx].port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4262 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect); |
4263 | if (newport <= 0) |
4264 | fwd_perm_clear(&pset->permitted_user[idx]); |
4265 | else { |
4266 | pset->permitted_user[idx].listen_port = |
4267 | (ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000) ? 0 : newport; |
4268 | } |
4269 | } |
4270 | |
4271 | /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ |
4272 | int |
4273 | permitopen_port(const char *p) |
4274 | { |
4275 | int port; |
4276 | |
4277 | if (strcmp(p, "*") == 0) |
4278 | return FWD_PERMIT_ANY_PORT0; |
4279 | if ((port = a2port(p)) > 0) |
4280 | return port; |
4281 | return -1; |
4282 | } |
4283 | |
4284 | /* Try to start non-blocking connect to next host in cctx list */ |
4285 | static int |
4286 | connect_next(struct channel_connect *cctx) |
4287 | { |
4288 | int sock, saved_errno; |
4289 | struct sockaddr_un *sunaddr; |
4290 | char ntop[NI_MAXHOST256]; |
4291 | char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))(((32) > (sizeof(sunaddr->sun_path))) ? (32) : (sizeof( sunaddr->sun_path)))]; |
4292 | |
4293 | for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { |
4294 | switch (cctx->ai->ai_family) { |
4295 | case AF_UNIX1: |
4296 | /* unix:pathname instead of host:port */ |
4297 | sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; |
4298 | strlcpy(ntop, "unix", sizeof(ntop)); |
4299 | strlcpy(strport, sunaddr->sun_path, sizeof(strport)); |
4300 | break; |
4301 | case AF_INET2: |
4302 | case AF_INET624: |
4303 | if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, |
4304 | ntop, sizeof(ntop), strport, sizeof(strport), |
4305 | NI_NUMERICHOST1|NI_NUMERICSERV2) != 0) { |
4306 | error("connect_next: getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4306 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_next: getnameinfo failed" ); |
4307 | continue; |
4308 | } |
4309 | break; |
4310 | default: |
4311 | continue; |
4312 | } |
4313 | if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, |
4314 | cctx->ai->ai_protocol)) == -1) { |
4315 | if (cctx->ai->ai_next == NULL((void *)0)) |
4316 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4316 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4317 | else |
4318 | verbose("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4318 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4319 | continue; |
4320 | } |
4321 | if (set_nonblock(sock) == -1) |
4322 | fatal_f("set_nonblock(%d)", sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4322 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "set_nonblock(%d)", sock ); |
4323 | if (connect(sock, cctx->ai->ai_addr, |
4324 | cctx->ai->ai_addrlen) == -1 && errno(*__errno()) != EINPROGRESS36) { |
4325 | debug("connect_next: host %.100s ([%.100s]:%s): "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4327 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect_next: host %.100s ([%.100s]:%s): " "%.100s", cctx->host, ntop, strport, strerror((*__errno() ))) |
4326 | "%.100s", cctx->host, ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4327 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect_next: host %.100s ([%.100s]:%s): " "%.100s", cctx->host, ntop, strport, strerror((*__errno() ))) |
4327 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4327 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect_next: host %.100s ([%.100s]:%s): " "%.100s", cctx->host, ntop, strport, strerror((*__errno() ))); |
4328 | saved_errno = errno(*__errno()); |
4329 | close(sock); |
4330 | errno(*__errno()) = saved_errno; |
4331 | continue; /* fail -- try next */ |
4332 | } |
4333 | if (cctx->ai->ai_family != AF_UNIX1) |
4334 | set_nodelay(sock); |
4335 | debug("connect_next: host %.100s ([%.100s]:%s) "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4336 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect_next: host %.100s ([%.100s]:%s) " "in progress, fd=%d", cctx->host, ntop, strport, sock) |
4336 | "in progress, fd=%d", cctx->host, ntop, strport, sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4336 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect_next: host %.100s ([%.100s]:%s) " "in progress, fd=%d", cctx->host, ntop, strport, sock); |
4337 | cctx->ai = cctx->ai->ai_next; |
4338 | return sock; |
4339 | } |
4340 | return -1; |
4341 | } |
4342 | |
4343 | static void |
4344 | channel_connect_ctx_free(struct channel_connect *cctx) |
4345 | { |
4346 | free(cctx->host); |
4347 | if (cctx->aitop) { |
4348 | if (cctx->aitop->ai_family == AF_UNIX1) |
4349 | free(cctx->aitop); |
4350 | else |
4351 | freeaddrinfo(cctx->aitop); |
4352 | } |
4353 | memset(cctx, 0, sizeof(*cctx)); |
4354 | } |
4355 | |
4356 | /* |
4357 | * Return connecting socket to remote host:port or local socket path, |
4358 | * passing back the failure reason if appropriate. |
4359 | */ |
4360 | static int |
4361 | connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, |
4362 | char *ctype, char *rname, struct channel_connect *cctx, |
4363 | int *reason, const char **errmsg) |
4364 | { |
4365 | struct addrinfo hints; |
4366 | int gaierr; |
4367 | int sock = -1; |
4368 | char strport[NI_MAXSERV32]; |
4369 | |
4370 | if (port == PORT_STREAMLOCAL-2) { |
4371 | struct sockaddr_un *sunaddr; |
4372 | struct addrinfo *ai; |
4373 | |
4374 | if (strlen(name) > sizeof(sunaddr->sun_path)) { |
4375 | error("%.100s: %.100s", name, strerror(ENAMETOOLONG))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4375 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: %.100s", name, strerror(63)); |
4376 | return -1; |
4377 | } |
4378 | |
4379 | /* |
4380 | * Fake up a struct addrinfo for AF_UNIX connections. |
4381 | * channel_connect_ctx_free() must check ai_family |
4382 | * and use free() not freeaddirinfo() for AF_UNIX. |
4383 | */ |
4384 | ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); |
4385 | memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); |
4386 | ai->ai_addr = (struct sockaddr *)(ai + 1); |
4387 | ai->ai_addrlen = sizeof(*sunaddr); |
4388 | ai->ai_family = AF_UNIX1; |
4389 | ai->ai_socktype = socktype; |
4390 | ai->ai_protocol = PF_UNSPEC0; |
4391 | sunaddr = (struct sockaddr_un *)ai->ai_addr; |
4392 | sunaddr->sun_family = AF_UNIX1; |
4393 | strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); |
4394 | cctx->aitop = ai; |
4395 | } else { |
4396 | memset(&hints, 0, sizeof(hints)); |
4397 | hints.ai_family = ssh->chanctxt->IPv4or6; |
4398 | hints.ai_socktype = socktype; |
4399 | snprintf(strport, sizeof strport, "%d", port); |
4400 | if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) |
4401 | != 0) { |
4402 | if (errmsg != NULL((void *)0)) |
4403 | *errmsg = ssh_gai_strerror(gaierr); |
4404 | if (reason != NULL((void *)0)) |
4405 | *reason = SSH2_OPEN_CONNECT_FAILED2; |
4406 | error("connect_to %.100s: unknown host (%s)", name,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4407 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr)) |
4407 | ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4407 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr)); |
4408 | return -1; |
4409 | } |
4410 | } |
4411 | |
4412 | cctx->host = xstrdup(name); |
4413 | cctx->port = port; |
4414 | cctx->ai = cctx->aitop; |
4415 | |
4416 | if ((sock = connect_next(cctx)) == -1) { |
4417 | error("connect to %.100s port %d failed: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4418 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect to %.100s port %d failed: %s" , name, port, strerror((*__errno()))) |
4418 | name, port, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4418 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect to %.100s port %d failed: %s" , name, port, strerror((*__errno()))); |
4419 | return -1; |
4420 | } |
4421 | |
4422 | return sock; |
4423 | } |
4424 | |
4425 | /* Return CONNECTING channel to remote host:port or local socket path */ |
4426 | static Channel * |
4427 | connect_to(struct ssh *ssh, const char *host, int port, |
4428 | char *ctype, char *rname) |
4429 | { |
4430 | struct channel_connect cctx; |
4431 | Channel *c; |
4432 | int sock; |
4433 | |
4434 | memset(&cctx, 0, sizeof(cctx)); |
4435 | sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname, |
4436 | &cctx, NULL((void *)0), NULL((void *)0)); |
4437 | if (sock == -1) { |
4438 | channel_connect_ctx_free(&cctx); |
4439 | return NULL((void *)0); |
4440 | } |
4441 | c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1, |
4442 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4443 | c->host_port = port; |
4444 | c->path = xstrdup(host); |
4445 | c->connect_ctx = cctx; |
4446 | |
4447 | return c; |
4448 | } |
4449 | |
4450 | /* |
4451 | * returns either the newly connected channel or the downstream channel |
4452 | * that needs to deal with this connection. |
4453 | */ |
4454 | Channel * |
4455 | channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, |
4456 | u_short listen_port, char *ctype, char *rname) |
4457 | { |
4458 | struct ssh_channels *sc = ssh->chanctxt; |
4459 | struct permission_set *pset = &sc->local_perms; |
4460 | u_int i; |
4461 | struct permission *perm; |
4462 | |
4463 | for (i = 0; i < pset->num_permitted_user; i++) { |
4464 | perm = &pset->permitted_user[i]; |
4465 | if (open_listen_match_tcpip(perm, |
4466 | listen_host, listen_port, 1)) { |
4467 | if (perm->downstream) |
4468 | return perm->downstream; |
4469 | if (perm->port_to_connect == 0) |
4470 | return rdynamic_connect_prepare(ssh, |
4471 | ctype, rname); |
4472 | return connect_to(ssh, |
4473 | perm->host_to_connect, perm->port_to_connect, |
4474 | ctype, rname); |
4475 | } |
4476 | } |
4477 | error("WARNING: Server requests forwarding for unknown listen_port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4478 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port) |
4478 | listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4478 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port); |
4479 | return NULL((void *)0); |
4480 | } |
4481 | |
4482 | Channel * |
4483 | channel_connect_by_listen_path(struct ssh *ssh, const char *path, |
4484 | char *ctype, char *rname) |
4485 | { |
4486 | struct ssh_channels *sc = ssh->chanctxt; |
4487 | struct permission_set *pset = &sc->local_perms; |
4488 | u_int i; |
4489 | struct permission *perm; |
4490 | |
4491 | for (i = 0; i < pset->num_permitted_user; i++) { |
4492 | perm = &pset->permitted_user[i]; |
4493 | if (open_listen_match_streamlocal(perm, path)) { |
4494 | return connect_to(ssh, |
4495 | perm->host_to_connect, perm->port_to_connect, |
4496 | ctype, rname); |
4497 | } |
4498 | } |
4499 | error("WARNING: Server requests forwarding for unknown path %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4500 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path) |
4500 | path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4500 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path); |
4501 | return NULL((void *)0); |
4502 | } |
4503 | |
4504 | /* Check if connecting to that port is permitted and connect. */ |
4505 | Channel * |
4506 | channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, |
4507 | char *ctype, char *rname, int *reason, const char **errmsg) |
4508 | { |
4509 | struct ssh_channels *sc = ssh->chanctxt; |
4510 | struct permission_set *pset = &sc->local_perms; |
4511 | struct channel_connect cctx; |
4512 | Channel *c; |
4513 | u_int i, permit, permit_adm = 1; |
4514 | int sock; |
4515 | struct permission *perm; |
4516 | |
4517 | permit = pset->all_permitted; |
4518 | if (!permit) { |
4519 | for (i = 0; i < pset->num_permitted_user; i++) { |
4520 | perm = &pset->permitted_user[i]; |
4521 | if (open_match(perm, host, port)) { |
4522 | permit = 1; |
4523 | break; |
4524 | } |
4525 | } |
4526 | } |
4527 | |
4528 | if (pset->num_permitted_admin > 0) { |
4529 | permit_adm = 0; |
4530 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4531 | perm = &pset->permitted_admin[i]; |
4532 | if (open_match(perm, host, port)) { |
4533 | permit_adm = 1; |
4534 | break; |
4535 | } |
4536 | } |
4537 | } |
4538 | |
4539 | if (!permit || !permit_adm) { |
4540 | logit("Received request from %.100s port %d to connect to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4542 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port) |
4541 | "host %.100s port %d, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4542 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port) |
4542 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4542 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port); |
4543 | if (reason != NULL((void *)0)) |
4544 | *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1; |
4545 | return NULL((void *)0); |
4546 | } |
4547 | |
4548 | memset(&cctx, 0, sizeof(cctx)); |
4549 | sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname, |
4550 | &cctx, reason, errmsg); |
4551 | if (sock == -1) { |
4552 | channel_connect_ctx_free(&cctx); |
4553 | return NULL((void *)0); |
4554 | } |
4555 | |
4556 | c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1, |
4557 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4558 | c->host_port = port; |
4559 | c->path = xstrdup(host); |
4560 | c->connect_ctx = cctx; |
4561 | |
4562 | return c; |
4563 | } |
4564 | |
4565 | /* Check if connecting to that path is permitted and connect. */ |
4566 | Channel * |
4567 | channel_connect_to_path(struct ssh *ssh, const char *path, |
4568 | char *ctype, char *rname) |
4569 | { |
4570 | struct ssh_channels *sc = ssh->chanctxt; |
4571 | struct permission_set *pset = &sc->local_perms; |
4572 | u_int i, permit, permit_adm = 1; |
4573 | struct permission *perm; |
4574 | |
4575 | permit = pset->all_permitted; |
4576 | if (!permit) { |
4577 | for (i = 0; i < pset->num_permitted_user; i++) { |
4578 | perm = &pset->permitted_user[i]; |
4579 | if (open_match(perm, path, PORT_STREAMLOCAL-2)) { |
4580 | permit = 1; |
4581 | break; |
4582 | } |
4583 | } |
4584 | } |
4585 | |
4586 | if (pset->num_permitted_admin > 0) { |
4587 | permit_adm = 0; |
4588 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4589 | perm = &pset->permitted_admin[i]; |
4590 | if (open_match(perm, path, PORT_STREAMLOCAL-2)) { |
4591 | permit_adm = 1; |
4592 | break; |
4593 | } |
4594 | } |
4595 | } |
4596 | |
4597 | if (!permit || !permit_adm) { |
4598 | logit("Received request to connect to path %.100s, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4599 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path) |
4599 | "but the request was denied.", path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4599 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path); |
4600 | return NULL((void *)0); |
4601 | } |
4602 | return connect_to(ssh, path, PORT_STREAMLOCAL-2, ctype, rname); |
4603 | } |
4604 | |
4605 | void |
4606 | channel_send_window_changes(struct ssh *ssh) |
4607 | { |
4608 | struct ssh_channels *sc = ssh->chanctxt; |
4609 | struct winsize ws; |
4610 | int r; |
4611 | u_int i; |
4612 | |
4613 | for (i = 0; i < sc->channels_alloc; i++) { |
4614 | if (sc->channels[i] == NULL((void *)0) || !sc->channels[i]->client_tty || |
4615 | sc->channels[i]->type != SSH_CHANNEL_OPEN4) |
4616 | continue; |
4617 | if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ((unsigned long)0x40000000 | ((sizeof(struct winsize) & 0x1fff ) << 16) | ((('t')) << 8) | ((104))), &ws) == -1) |
4618 | continue; |
4619 | channel_request_start(ssh, i, "window-change", 0); |
4620 | if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || |
4621 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || |
4622 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || |
4623 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 || |
4624 | (r = sshpkt_send(ssh)) != 0) |
4625 | fatal_fr(r, "channel %u; send window-change", i)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4625 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %u; send window-change" , i); |
4626 | } |
4627 | } |
4628 | |
4629 | /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ |
4630 | static Channel * |
4631 | rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) |
4632 | { |
4633 | Channel *c; |
4634 | int r; |
4635 | |
4636 | c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN21, -1, -1, -1, |
4637 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4638 | c->host_port = 0; |
4639 | c->path = NULL((void *)0); |
4640 | |
4641 | /* |
4642 | * We need to open the channel before we have a FD, |
4643 | * so that we can get SOCKS header from peer. |
4644 | */ |
4645 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 || |
4646 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
4647 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
4648 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
4649 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) |
4650 | fatal_fr(r, "channel %i; confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4650 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i; confirm", c ->self); |
4651 | return c; |
4652 | } |
4653 | |
4654 | /* Return CONNECTING socket to remote host:port or local socket path */ |
4655 | static int |
4656 | rdynamic_connect_finish(struct ssh *ssh, Channel *c) |
4657 | { |
4658 | struct ssh_channels *sc = ssh->chanctxt; |
4659 | struct permission_set *pset = &sc->local_perms; |
4660 | struct permission *perm; |
4661 | struct channel_connect cctx; |
4662 | u_int i, permit_adm = 1; |
4663 | int sock; |
4664 | |
4665 | if (pset->num_permitted_admin > 0) { |
4666 | permit_adm = 0; |
4667 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4668 | perm = &pset->permitted_admin[i]; |
4669 | if (open_match(perm, c->path, c->host_port)) { |
4670 | permit_adm = 1; |
4671 | break; |
4672 | } |
4673 | } |
4674 | } |
4675 | if (!permit_adm) { |
4676 | debug_f("requested forward not permitted")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4676 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not permitted" ); |
4677 | return -1; |
4678 | } |
4679 | |
4680 | memset(&cctx, 0, sizeof(cctx)); |
4681 | sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM1, NULL((void *)0), |
4682 | NULL((void *)0), &cctx, NULL((void *)0), NULL((void *)0)); |
4683 | if (sock == -1) |
4684 | channel_connect_ctx_free(&cctx); |
4685 | else { |
4686 | /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ |
4687 | c->type = SSH_CHANNEL_RDYNAMIC_FINISH22; |
4688 | c->connect_ctx = cctx; |
4689 | channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); |
4690 | } |
4691 | return sock; |
4692 | } |
4693 | |
4694 | /* -- X11 forwarding */ |
4695 | |
4696 | /* |
4697 | * Creates an internet domain socket for listening for X11 connections. |
4698 | * Returns 0 and a suitable display number for the DISPLAY variable |
4699 | * stored in display_numberp , or -1 if an error occurs. |
4700 | */ |
4701 | int |
4702 | x11_create_display_inet(struct ssh *ssh, int x11_display_offset, |
4703 | int x11_use_localhost, int single_connection, |
4704 | u_int *display_numberp, int **chanids) |
4705 | { |
4706 | Channel *nc = NULL((void *)0); |
4707 | int display_number, sock; |
4708 | u_short port; |
4709 | struct addrinfo hints, *ai, *aitop; |
4710 | char strport[NI_MAXSERV32]; |
4711 | int gaierr, n, num_socks = 0, socks[NUM_SOCKS10]; |
4712 | |
4713 | if (chanids == NULL((void *)0)) |
4714 | return -1; |
4715 | |
4716 | for (display_number = x11_display_offset; |
4717 | display_number < MAX_DISPLAYS1000; |
4718 | display_number++) { |
4719 | port = 6000 + display_number; |
4720 | memset(&hints, 0, sizeof(hints)); |
4721 | hints.ai_family = ssh->chanctxt->IPv4or6; |
4722 | hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE1; |
4723 | hints.ai_socktype = SOCK_STREAM1; |
4724 | snprintf(strport, sizeof strport, "%d", port); |
4725 | if ((gaierr = getaddrinfo(NULL((void *)0), strport, |
4726 | &hints, &aitop)) != 0) { |
4727 | error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4727 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo: %.100s", ssh_gai_strerror (gaierr)); |
4728 | return -1; |
4729 | } |
4730 | for (ai = aitop; ai; ai = ai->ai_next) { |
4731 | if (ai->ai_family != AF_INET2 && |
4732 | ai->ai_family != AF_INET624) |
4733 | continue; |
4734 | sock = socket(ai->ai_family, ai->ai_socktype, |
4735 | ai->ai_protocol); |
4736 | if (sock == -1) { |
4737 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4737 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4738 | freeaddrinfo(aitop); |
4739 | return -1; |
4740 | } |
4741 | set_reuseaddr(sock); |
4742 | if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
4743 | debug2_f("bind port %d: %.100s", port,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4744 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "bind port %d: %.100s" , port, strerror((*__errno()))) |
4744 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4744 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "bind port %d: %.100s" , port, strerror((*__errno()))); |
4745 | close(sock); |
4746 | for (n = 0; n < num_socks; n++) |
4747 | close(socks[n]); |
4748 | num_socks = 0; |
4749 | break; |
4750 | } |
4751 | socks[num_socks++] = sock; |
4752 | if (num_socks == NUM_SOCKS10) |
4753 | break; |
4754 | } |
4755 | freeaddrinfo(aitop); |
4756 | if (num_socks > 0) |
4757 | break; |
4758 | } |
4759 | if (display_number >= MAX_DISPLAYS1000) { |
4760 | error("Failed to allocate internet-domain X11 display socket.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4760 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Failed to allocate internet-domain X11 display socket." ); |
4761 | return -1; |
4762 | } |
4763 | /* Start listening for connections on the socket. */ |
4764 | for (n = 0; n < num_socks; n++) { |
4765 | sock = socks[n]; |
4766 | if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) { |
4767 | error("listen: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4767 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen: %.100s", strerror ((*__errno()))); |
4768 | close(sock); |
4769 | return -1; |
4770 | } |
4771 | } |
4772 | |
4773 | /* Allocate a channel for each socket. */ |
4774 | *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); |
4775 | for (n = 0; n < num_socks; n++) { |
4776 | sock = socks[n]; |
4777 | nc = channel_new(ssh, "x11 listener", |
4778 | SSH_CHANNEL_X11_LISTENER1, sock, sock, -1, |
4779 | CHAN_X11_WINDOW_DEFAULT(4*(16*1024)), CHAN_X11_PACKET_DEFAULT(16*1024), |
4780 | 0, "X11 inet listener", 1); |
4781 | nc->single_connection = single_connection; |
4782 | (*chanids)[n] = nc->self; |
4783 | } |
4784 | (*chanids)[n] = -1; |
4785 | |
4786 | /* Return the display number for the DISPLAY environment variable. */ |
4787 | *display_numberp = display_number; |
4788 | return 0; |
4789 | } |
4790 | |
4791 | static int |
4792 | connect_local_xsocket(u_int dnr) |
4793 | { |
4794 | int sock; |
4795 | struct sockaddr_un addr; |
4796 | |
4797 | sock = socket(AF_UNIX1, SOCK_STREAM1, 0); |
4798 | if (sock == -1) |
4799 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4799 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4800 | memset(&addr, 0, sizeof(addr)); |
4801 | addr.sun_family = AF_UNIX1; |
4802 | snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X"/tmp/.X11-unix/X%u", dnr); |
4803 | if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) |
4804 | return sock; |
4805 | close(sock); |
4806 | error("connect %.100s: %.100s", addr.sun_path, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s: %.100s" , addr.sun_path, strerror((*__errno()))); |
4807 | return -1; |
4808 | } |
4809 | |
4810 | int |
4811 | x11_connect_display(struct ssh *ssh) |
4812 | { |
4813 | u_int display_number; |
4814 | const char *display; |
4815 | char buf[1024], *cp; |
4816 | struct addrinfo hints, *ai, *aitop; |
4817 | char strport[NI_MAXSERV32]; |
4818 | int gaierr, sock = 0; |
4819 | |
4820 | /* Try to open a socket for the local X server. */ |
4821 | display = getenv("DISPLAY"); |
4822 | if (!display) { |
4823 | error("DISPLAY not set.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4823 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "DISPLAY not set."); |
4824 | return -1; |
4825 | } |
4826 | /* |
4827 | * Now we decode the value of the DISPLAY variable and make a |
4828 | * connection to the real X server. |
4829 | */ |
4830 | |
4831 | /* |
4832 | * Check if it is a unix domain socket. Unix domain displays are in |
4833 | * one of the following formats: unix:d[.s], :d[.s], ::d[.s] |
4834 | */ |
4835 | if (strncmp(display, "unix:", 5) == 0 || |
4836 | display[0] == ':') { |
4837 | /* Connect to the unix domain socket. */ |
4838 | if (sscanf(strrchr(display, ':') + 1, "%u", |
4839 | &display_number) != 1) { |
4840 | error("Could not parse display number from DISPLAY: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4841 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display) |
4841 | "%.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4841 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display); |
4842 | return -1; |
4843 | } |
4844 | /* Create a socket. */ |
4845 | sock = connect_local_xsocket(display_number); |
4846 | if (sock < 0) |
4847 | return -1; |
4848 | |
4849 | /* OK, we now have a connection to the display. */ |
4850 | return sock; |
4851 | } |
4852 | /* |
4853 | * Connect to an inet socket. The DISPLAY value is supposedly |
4854 | * hostname:d[.s], where hostname may also be numeric IP address. |
4855 | */ |
4856 | strlcpy(buf, display, sizeof(buf)); |
4857 | cp = strchr(buf, ':'); |
4858 | if (!cp) { |
4859 | error("Could not find ':' in DISPLAY: %.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4859 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not find ':' in DISPLAY: %.100s" , display); |
4860 | return -1; |
4861 | } |
4862 | *cp = 0; |
4863 | /* |
4864 | * buf now contains the host name. But first we parse the |
4865 | * display number. |
4866 | */ |
4867 | if (sscanf(cp + 1, "%u", &display_number) != 1) { |
4868 | error("Could not parse display number from DISPLAY: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4869 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display) |
4869 | display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4869 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display); |
4870 | return -1; |
4871 | } |
4872 | |
4873 | /* Look up the host address */ |
4874 | memset(&hints, 0, sizeof(hints)); |
4875 | hints.ai_family = ssh->chanctxt->IPv4or6; |
4876 | hints.ai_socktype = SOCK_STREAM1; |
4877 | snprintf(strport, sizeof strport, "%u", 6000 + display_number); |
4878 | if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { |
4879 | error("%.100s: unknown host. (%s)", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4880 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr)) |
4880 | ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4880 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr)); |
4881 | return -1; |
4882 | } |
4883 | for (ai = aitop; ai; ai = ai->ai_next) { |
4884 | /* Create a socket. */ |
4885 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); |
4886 | if (sock == -1) { |
4887 | debug2("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4887 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4888 | continue; |
4889 | } |
4890 | /* Connect it to the display. */ |
4891 | if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
4892 | debug2("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4893 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))) |
4893 | 6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4893 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))); |
4894 | close(sock); |
4895 | continue; |
4896 | } |
4897 | /* Success */ |
4898 | break; |
4899 | } |
4900 | freeaddrinfo(aitop); |
4901 | if (!ai) { |
4902 | error("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4903 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))) |
4903 | 6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4903 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))); |
4904 | return -1; |
4905 | } |
4906 | set_nodelay(sock); |
4907 | return sock; |
4908 | } |
4909 | |
4910 | /* |
4911 | * Requests forwarding of X11 connections, generates fake authentication |
4912 | * data, and enables authentication spoofing. |
4913 | * This should be called in the client only. |
4914 | */ |
4915 | void |
4916 | x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, |
4917 | const char *disp, const char *proto, const char *data, int want_reply) |
4918 | { |
4919 | struct ssh_channels *sc = ssh->chanctxt; |
4920 | u_int data_len = (u_int) strlen(data) / 2; |
4921 | u_int i, value; |
4922 | const char *cp; |
4923 | char *new_data; |
4924 | int r, screen_number; |
4925 | |
4926 | if (sc->x11_saved_display == NULL((void *)0)) |
4927 | sc->x11_saved_display = xstrdup(disp); |
4928 | else if (strcmp(disp, sc->x11_saved_display) != 0) { |
4929 | error("x11_request_forwarding_with_spoofing: different "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4930 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded") |
4930 | "$DISPLAY already forwarded")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4930 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded"); |
4931 | return; |
4932 | } |
4933 | |
4934 | cp = strchr(disp, ':'); |
4935 | if (cp) |
4936 | cp = strchr(cp, '.'); |
4937 | if (cp) |
4938 | screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL((void *)0)); |
4939 | else |
4940 | screen_number = 0; |
4941 | |
4942 | if (sc->x11_saved_proto == NULL((void *)0)) { |
4943 | /* Save protocol name. */ |
4944 | sc->x11_saved_proto = xstrdup(proto); |
4945 | |
4946 | /* Extract real authentication data. */ |
4947 | sc->x11_saved_data = xmalloc(data_len); |
4948 | for (i = 0; i < data_len; i++) { |
4949 | if (sscanf(data + 2 * i, "%2x", &value) != 1) { |
4950 | fatal("x11_request_forwarding: bad "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4951 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data) |
4951 | "authentication data: %.100s", data)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4951 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data); |
4952 | } |
4953 | sc->x11_saved_data[i] = value; |
4954 | } |
4955 | sc->x11_saved_data_len = data_len; |
4956 | |
4957 | /* Generate fake data of the same length. */ |
4958 | sc->x11_fake_data = xmalloc(data_len); |
4959 | arc4random_buf(sc->x11_fake_data, data_len); |
4960 | sc->x11_fake_data_len = data_len; |
4961 | } |
4962 | |
4963 | /* Convert the fake data into hex. */ |
4964 | new_data = tohex(sc->x11_fake_data, data_len); |
4965 | |
4966 | /* Send the request packet. */ |
4967 | channel_request_start(ssh, client_session_id, "x11-req", want_reply); |
4968 | if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */ |
4969 | (r = sshpkt_put_cstring(ssh, proto)) != 0 || |
4970 | (r = sshpkt_put_cstring(ssh, new_data)) != 0 || |
4971 | (r = sshpkt_put_u32(ssh, screen_number)) != 0 || |
4972 | (r = sshpkt_send(ssh)) != 0 || |
4973 | (r = ssh_packet_write_wait(ssh)) != 0) |
4974 | fatal_fr(r, "send x11-req")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4974 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send x11-req"); |
4975 | free(new_data); |
4976 | } |