/usr/src/usr.bin/ssh/ssh/../channels.c

Bug Summary

File:	src/usr.bin/ssh/ssh/../channels.c
Warning:	line 4277, column 21 Although the value stored to 'listen_port' is used in the enclosing expression, the value is never actually read from 'listen_port'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name channels.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/usr.bin/ssh/ssh/.. -D WITH_OPENSSL -D WITH_ZLIB -D WITH_DSA -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/usr.bin/ssh/ssh/../channels.c

1	/* $OpenBSD: channels.c,v 1.436 2024/01/09 22:19:00 djm Exp $ */
2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5	* All rights reserved
6	* This file contains functions for generic socket connection forwarding.
7	* There is also code for initiating connection forwarding for X11 connections,
8	* arbitrary tcp/ip connections, and the authentication agent connection.
9	*
10	* As far as I am concerned, the code I have written for this software
11	* can be used freely for any purpose. Any derived versions of this
12	* software must be clearly marked as such, and if the derived work is
13	* incompatible with the protocol description in the RFC file, it must be
14	* called by a name other than "ssh" or "Secure Shell".
15	*
16	* SSH2 support added by Markus Friedl.
17	* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
18	* Copyright (c) 1999 Dug Song. All rights reserved.
19	* Copyright (c) 1999 Theo de Raadt. All rights reserved.
20	*
21	* Redistribution and use in source and binary forms, with or without
22	* modification, are permitted provided that the following conditions
23	* are met:
24	* 1. Redistributions of source code must retain the above copyright
25	* notice, this list of conditions and the following disclaimer.
26	* 2. Redistributions in binary form must reproduce the above copyright
27	* notice, this list of conditions and the following disclaimer in the
28	* documentation and/or other materials provided with the distribution.
29	*
30	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40	*/
41
42	#include <sys/types.h>
43	#include <sys/stat.h>
44	#include <sys/ioctl.h>
45	#include <sys/un.h>
46	#include <sys/socket.h>
47	#include <sys/time.h>
48	#include <sys/queue.h>
49
50	#include <netinet/in.h>
51	#include <arpa/inet.h>
52
53	#include <errno(*__errno()).h>
54	#include <fcntl.h>
55	#include <limits.h>
56	#include <netdb.h>
57	#include <poll.h>
58	#include <stdarg.h>
59	#include <stdint.h>
60	#include <stdio.h>
61	#include <stdlib.h>
62	#include <string.h>
63	#include <termios.h>
64	#include <unistd.h>
65
66	#include "xmalloc.h"
67	#include "ssh.h"
68	#include "ssh2.h"
69	#include "ssherr.h"
70	#include "sshbuf.h"
71	#include "packet.h"
72	#include "log.h"
73	#include "misc.h"
74	#include "channels.h"
75	#include "compat.h"
76	#include "canohost.h"
77	#include "sshkey.h"
78	#include "authfd.h"
79	#include "pathnames.h"
80	#include "match.h"
81
82	/* XXX remove once we're satisfied there's no lurking bugs */
83	/* #define DEBUG_CHANNEL_POLL 1 */
84
85	/* -- agent forwarding */
86	#define NUM_SOCKS10 10
87
88	/* -- tcp forwarding */
89	/* special-case port number meaning allow any port */
90	#define FWD_PERMIT_ANY_PORT0 0
91
92	/* special-case wildcard meaning allow any host */
93	#define FWD_PERMIT_ANY_HOST"" ""
94
95	/* -- X11 forwarding */
96	/* Maximum number of fake X11 displays to try. */
97	#define MAX_DISPLAYS1000 1000
98
99	/* Per-channel callback for pre/post IO actions */
100	typedef void chan_fn(struct ssh , Channel c);
101
102	/*
103	* Data structure for storing which hosts are permitted for forward requests.
104	* The local sides of any remote forwards are stored in this array to prevent
105	* a corrupt remote server from accessing arbitrary TCP/IP ports on our local
106	* network (which might be behind a firewall).
107	*/
108	/* XXX: streamlocal wants a path instead of host:port */
109	/* Overload host_to_connect; we could just make this match Forward */
110	/* XXX - can we use listen_host instead of listen_path? */
111	struct permission {
112	char host_to_connect; / Connect to 'host'. */
113	int port_to_connect; /* Connect to 'port'. */
114	char listen_host; / Remote side should listen address. */
115	char listen_path; / Remote side should listen path. */
116	int listen_port; /* Remote side should listen port. */
117	Channel downstream; / Downstream mux*/
118	};
119
120	/*
121	* Stores the forwarding permission state for a single direction (local or
122	* remote).
123	*/
124	struct permission_set {
125	/*
126	* List of all local permitted host/port pairs to allow for the
127	* user.
128	*/
129	u_int num_permitted_user;
130	struct permission *permitted_user;
131
132	/*
133	* List of all permitted host/port pairs to allow for the admin.
134	*/
135	u_int num_permitted_admin;
136	struct permission *permitted_admin;
137
138	/*
139	* If this is true, all opens/listens are permitted. This is the
140	* case on the server on which we have to trust the client anyway,
141	* and the user could do anything after logging in.
142	*/
143	int all_permitted;
144	};
145
146	/* Used to record timeouts per channel type */
147	struct ssh_channel_timeout {
148	char *type_pattern;
149	int timeout_secs;
150	};
151
152	/* Master structure for channels state */
153	struct ssh_channels {
154	/*
155	* Pointer to an array containing all allocated channels. The array
156	* is dynamically extended as needed.
157	*/
158	Channel **channels;
159
160	/*
161	* Size of the channel array. All slots of the array must always be
162	* initialized (at least the type field); unused slots set to NULL
163	*/
164	u_int channels_alloc;
165
166	/*
167	* 'channel_pre*' are called just before IO to add any bits
168	* relevant to channels in the c->io_want bitmasks.
169	*
170	* 'channel_post*': perform any appropriate operations for
171	* channels which have c->io_ready events pending.
172	*/
173	chan_fn **channel_pre;
174	chan_fn **channel_post;
175
176	/* -- tcp forwarding */
177	struct permission_set local_perms;
178	struct permission_set remote_perms;
179
180	/* -- X11 forwarding */
181
182	/* Saved X11 local (client) display. */
183	char *x11_saved_display;
184
185	/* Saved X11 authentication protocol name. */
186	char *x11_saved_proto;
187
188	/* Saved X11 authentication data. This is the real data. */
189	char *x11_saved_data;
190	u_int x11_saved_data_len;
191
192	/* Deadline after which all X11 connections are refused */
193	time_t x11_refuse_time;
194
195	/*
196	* Fake X11 authentication data. This is what the server will be
197	* sending us; we should replace any occurrences of this by the
198	* real data.
199	*/
200	u_char *x11_fake_data;
201	u_int x11_fake_data_len;
202
203	/* AF_UNSPEC or AF_INET or AF_INET6 */
204	int IPv4or6;
205
206	/* Channel timeouts by type */
207	struct ssh_channel_timeout *timeouts;
208	size_t ntimeouts;
209	/* Global timeout for all OPEN channels */
210	int global_deadline;
211	time_t lastused;
212	};
213
214	/* helper */
215	static void port_open_helper(struct ssh ssh, Channel c, char *rtype);
216	static const char channel_rfwd_bind_host(const char listen_host);
217
218	/* non-blocking connect helpers */
219	static int connect_next(struct channel_connect *);
220	static void channel_connect_ctx_free(struct channel_connect *);
221	static Channel rdynamic_connect_prepare(struct ssh , char , char );
222	static int rdynamic_connect_finish(struct ssh , Channel );
223
224	/* Setup helper */
225	static void channel_handler_init(struct ssh_channels *sc);
226
227	/* -- channel core */
228
229	void
230	channel_init_channels(struct ssh *ssh)
231	{
232	struct ssh_channels *sc;
233
234	if ((sc = calloc(1, sizeof(sc))) == NULL((void )0))
235	fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 235 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed");
236	sc->channels_alloc = 10;
237	sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
238	sc->IPv4or6 = AF_UNSPEC0;
239	channel_handler_init(sc);
240
241	ssh->chanctxt = sc;
242	}
243
244	Channel *
245	channel_by_id(struct ssh *ssh, int id)
246	{
247	Channel *c;
248
249	if (id < 0 \|\| (u_int)id >= ssh->chanctxt->channels_alloc) {
250	logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 250 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id);
251	return NULL((void *)0);
252	}
253	c = ssh->chanctxt->channels[id];
254	if (c == NULL((void *)0)) {
255	logit_f("%d: bad id: channel free", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 255 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id: channel free" , id);
256	return NULL((void *)0);
257	}
258	return c;
259	}
260
261	Channel *
262	channel_by_remote_id(struct ssh *ssh, u_int remote_id)
263	{
264	Channel *c;
265	u_int i;
266
267	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
268	c = ssh->chanctxt->channels[i];
269	if (c != NULL((void *)0) && c->have_remote_id && c->remote_id == remote_id)
270	return c;
271	}
272	return NULL((void *)0);
273	}
274
275	/*
276	* Returns the channel if it is allowed to receive protocol messages.
277	* Private channels, like listening sockets, may not receive messages.
278	*/
279	Channel *
280	channel_lookup(struct ssh *ssh, int id)
281	{
282	Channel *c;
283
284	if ((c = channel_by_id(ssh, id)) == NULL((void *)0))
285	return NULL((void *)0);
286
287	switch (c->type) {
288	case SSH_CHANNEL_X11_OPEN7:
289	case SSH_CHANNEL_LARVAL10:
290	case SSH_CHANNEL_CONNECTING12:
291	case SSH_CHANNEL_DYNAMIC13:
292	case SSH_CHANNEL_RDYNAMIC_OPEN21:
293	case SSH_CHANNEL_RDYNAMIC_FINISH22:
294	case SSH_CHANNEL_OPENING3:
295	case SSH_CHANNEL_OPEN4:
296	case SSH_CHANNEL_ABANDONED17:
297	case SSH_CHANNEL_MUX_PROXY20:
298	return c;
299	}
300	logit("Non-public channel %d, type %d.", id, c->type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 300 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Non-public channel %d, type %d." , id, c->type);
301	return NULL((void *)0);
302	}
303
304	/*
305	* Add a timeout for open channels whose c->ctype (or c->xctype if it is set)
306	* match type_pattern.
307	*/
308	void
309	channel_add_timeout(struct ssh ssh, const char type_pattern,
310	int timeout_secs)
311	{
312	struct ssh_channels *sc = ssh->chanctxt;
313
314	if (strcmp(type_pattern, "global") == 0) {
315	debug2_f("global channel timeout %d seconds", timeout_secs)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 315 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "global channel timeout %d seconds" , timeout_secs);
316	sc->global_deadline = timeout_secs;
317	return;
318	}
319	debug2_f("channel type \"%s\" timeout %d seconds",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 320 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel type \"%s\" timeout %d seconds" , type_pattern, timeout_secs)
320	type_pattern, timeout_secs)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 320 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel type \"%s\" timeout %d seconds" , type_pattern, timeout_secs);
321	sc->timeouts = xrecallocarray(sc->timeouts, sc->ntimeouts,
322	sc->ntimeouts + 1, sizeof(*sc->timeouts));
323	sc->timeouts[sc->ntimeouts].type_pattern = xstrdup(type_pattern);
324	sc->timeouts[sc->ntimeouts].timeout_secs = timeout_secs;
325	sc->ntimeouts++;
326	}
327
328	/* Clears all previously-added channel timeouts */
329	void
330	channel_clear_timeouts(struct ssh *ssh)
331	{
332	struct ssh_channels *sc = ssh->chanctxt;
333	size_t i;
334
335	debug3_f("clearing")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 335 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "clearing");
336	for (i = 0; i < sc->ntimeouts; i++)
337	free(sc->timeouts[i].type_pattern);
338	free(sc->timeouts);
339	sc->timeouts = NULL((void *)0);
340	sc->ntimeouts = 0;
341	}
342
343	static int
344	lookup_timeout(struct ssh ssh, const char type)
345	{
346	struct ssh_channels *sc = ssh->chanctxt;
347	size_t i;
348
349	for (i = 0; i < sc->ntimeouts; i++) {
350	if (match_pattern(type, sc->timeouts[i].type_pattern))
351	return sc->timeouts[i].timeout_secs;
352	}
353
354	return 0;
355	}
356
357	/*
358	* Sets "extended type" of a channel; used by session layer to add additional
359	* information about channel types (e.g. shell, login, subsystem) that can then
360	* be used to select timeouts.
361	* Will reset c->inactive_deadline as a side-effect.
362	*/
363	void
364	channel_set_xtype(struct ssh ssh, int id, const char xctype)
365	{
366	Channel *c;
367
368	if ((c = channel_by_id(ssh, id)) == NULL((void *)0))
369	fatal_f("missing channel %d", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 369 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "missing channel %d", id );
370	if (c->xctype != NULL((void *)0))
371	free(c->xctype);
372	c->xctype = xstrdup(xctype);
373	/* Type has changed, so look up inactivity deadline again */
374	c->inactive_deadline = lookup_timeout(ssh, c->xctype);
375	debug2_f("labeled channel %d as %s (inactive timeout %u)", id, xctype,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 376 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "labeled channel %d as %s (inactive timeout %u)" , id, xctype, c->inactive_deadline)
376	c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 376 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "labeled channel %d as %s (inactive timeout %u)" , id, xctype, c->inactive_deadline);
377	}
378
379	/*
380	* update "last used" time on a channel.
381	* NB. nothing else should update lastused except to clear it.
382	*/
383	static void
384	channel_set_used_time(struct ssh ssh, Channel c)
385	{
386	ssh->chanctxt->lastused = monotime();
387	if (c != NULL((void *)0))
388	c->lastused = ssh->chanctxt->lastused;
389	}
390
391	/*
392	* Get the time at which a channel is due to time out for inactivity.
393	* Returns 0 if the channel is not due to time out ever.
394	*/
395	static time_t
396	channel_get_expiry(struct ssh ssh, Channel c)
397	{
398	struct ssh_channels *sc = ssh->chanctxt;
399	time_t expiry = 0, channel_expiry;
400
401	if (sc->lastused != 0 && sc->global_deadline != 0)
402	expiry = sc->lastused + sc->global_deadline;
403	if (c->lastused != 0 && c->inactive_deadline != 0) {
404	channel_expiry = c->lastused + c->inactive_deadline;
405	if (expiry == 0 \|\| channel_expiry < expiry)
406	expiry = channel_expiry;
407	}
408	return expiry;
409	}
410
411	/*
412	* Register filedescriptors for a channel, used when allocating a channel or
413	* when the channel consumer/producer is ready, e.g. shell exec'd
414	*/
415	static void
416	channel_register_fds(struct ssh ssh, Channel c, int rfd, int wfd, int efd,
417	int extusage, int nonblock, int is_tty)
418	{
419	int val;
420
421	if (rfd != -1)
422	(void)fcntl(rfd, F_SETFD2, FD_CLOEXEC1);
423	if (wfd != -1 && wfd != rfd)
424	(void)fcntl(wfd, F_SETFD2, FD_CLOEXEC1);
425	if (efd != -1 && efd != rfd && efd != wfd)
426	(void)fcntl(efd, F_SETFD2, FD_CLOEXEC1);
427
428	c->rfd = rfd;
429	c->wfd = wfd;
430	c->sock = (rfd == wfd) ? rfd : -1;
431	c->efd = efd;
432	c->extended_usage = extusage;
433
434	if ((c->isatty = is_tty) != 0)
435	debug2("channel %d: rfd %d isatty", c->self, c->rfd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 435 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rfd %d isatty" , c->self, c->rfd);
436
437	/* enable nonblocking mode */
438	c->restore_block = 0;
439	if (nonblock == CHANNEL_NONBLOCK_STDIO2) {
440	/*
441	* Special handling for stdio file descriptors: do not set
442	* non-blocking mode if they are TTYs. Otherwise prepare to
443	* restore their blocking state on exit to avoid interfering
444	* with other programs that follow.
445	*/
446	if (rfd != -1 && !isatty(rfd) &&
447	(val = fcntl(rfd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) {
448	c->restore_flags[0] = val;
449	c->restore_block \|= CHANNEL_RESTORE_RFD0x01;
450	set_nonblock(rfd);
451	}
452	if (wfd != -1 && !isatty(wfd) &&
453	(val = fcntl(wfd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) {
454	c->restore_flags[1] = val;
455	c->restore_block \|= CHANNEL_RESTORE_WFD0x02;
456	set_nonblock(wfd);
457	}
458	if (efd != -1 && !isatty(efd) &&
459	(val = fcntl(efd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) {
460	c->restore_flags[2] = val;
461	c->restore_block \|= CHANNEL_RESTORE_EFD0x04;
462	set_nonblock(efd);
463	}
464	} else if (nonblock) {
465	if (rfd != -1)
466	set_nonblock(rfd);
467	if (wfd != -1)
468	set_nonblock(wfd);
469	if (efd != -1)
470	set_nonblock(efd);
471	}
472	/* channel might be entering a larval state, so reset global timeout */
473	channel_set_used_time(ssh, NULL((void *)0));
474	}
475
476	/*
477	* Allocate a new channel object and set its type and socket.
478	*/
479	Channel *
480	channel_new(struct ssh ssh, char ctype, int type, int rfd, int wfd, int efd,
481	u_int window, u_int maxpack, int extusage, const char *remote_name,
482	int nonblock)
483	{
484	struct ssh_channels *sc = ssh->chanctxt;
485	u_int i, found;
486	Channel *c;
487	int r;
488
489	/* Try to find a free slot where to put the new channel. */
490	for (i = 0; i < sc->channels_alloc; i++) {
491	if (sc->channels[i] == NULL((void *)0)) {
492	/* Found a free slot. */
493	found = i;
494	break;
495	}
496	}
497	if (i >= sc->channels_alloc) {
498	/*
499	* There are no free slots. Take last+1 slot and expand
500	* the array.
501	*/
502	found = sc->channels_alloc;
503	if (sc->channels_alloc > CHANNELS_MAX_CHANNELS(16*1024))
504	fatal_f("internal error: channels_alloc %d too big",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 505 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc)
505	sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 505 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc);
506	sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
507	sc->channels_alloc + 10, sizeof(*sc->channels));
508	sc->channels_alloc += 10;
509	debug2("channel: expanding %d", sc->channels_alloc)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 509 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel: expanding %d" , sc->channels_alloc);
510	}
511	/* Initialize and return new channel. */
512	c = sc->channels[found] = xcalloc(1, sizeof(Channel));
513	if ((c->input = sshbuf_new()) == NULL((void *)0) \|\|
514	(c->output = sshbuf_new()) == NULL((void *)0) \|\|
515	(c->extended = sshbuf_new()) == NULL((void *)0))
516	fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 516 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new failed");
517	if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX(1610241024))) != 0)
518	fatal_fr(r, "sshbuf_set_max_size")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 518 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_set_max_size");
519	c->ostate = CHAN_OUTPUT_OPEN0;
520	c->istate = CHAN_INPUT_OPEN0;
521	channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
522	c->self = found;
523	c->type = type;
524	c->ctype = ctype;
525	c->local_window = window;
526	c->local_window_max = window;
527	c->local_maxpacket = maxpack;
528	c->remote_name = xstrdup(remote_name);
529	c->ctl_chan = -1;
530	c->delayed = 1; /* prevent call to channel_post handler */
531	c->inactive_deadline = lookup_timeout(ssh, c->ctype);
532	TAILQ_INIT(&c->status_confirms)do { (&c->status_confirms)->tqh_first = ((void *)0) ; (&c->status_confirms)->tqh_last = &(&c-> status_confirms)->tqh_first; } while (0);
533	debug("channel %d: new %s [%s] (inactive timeout: %u)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: new %s [%s] (inactive timeout: %u)" , found, c->ctype, remote_name, c->inactive_deadline)
534	found, c->ctype, remote_name, c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: new %s [%s] (inactive timeout: %u)" , found, c->ctype, remote_name, c->inactive_deadline);
535	return c;
536	}
537
538	int
539	channel_close_fd(struct ssh ssh, Channel c, int *fdp)
540	{
541	int ret, fd = *fdp;
542
543	if (fd == -1)
544	return 0;
545
546	/* restore blocking */
547	if (*fdp == c->rfd &&
548	(c->restore_block & CHANNEL_RESTORE_RFD0x01) != 0)
549	(void)fcntl(*fdp, F_SETFL4, c->restore_flags[0]);
550	else if (*fdp == c->wfd &&
551	(c->restore_block & CHANNEL_RESTORE_WFD0x02) != 0)
552	(void)fcntl(*fdp, F_SETFL4, c->restore_flags[1]);
553	else if (*fdp == c->efd &&
554	(c->restore_block & CHANNEL_RESTORE_EFD0x04) != 0)
555	(void)fcntl(*fdp, F_SETFL4, c->restore_flags[2]);
556
557	if (*fdp == c->rfd) {
558	c->io_want &= ~SSH_CHAN_IO_RFD0x01;
559	c->io_ready &= ~SSH_CHAN_IO_RFD0x01;
560	c->rfd = -1;
561	c->pfds[0] = -1;
562	}
563	if (*fdp == c->wfd) {
564	c->io_want &= ~SSH_CHAN_IO_WFD0x02;
565	c->io_ready &= ~SSH_CHAN_IO_WFD0x02;
566	c->wfd = -1;
567	c->pfds[1] = -1;
568	}
569	if (*fdp == c->efd) {
570	c->io_want &= ~SSH_CHAN_IO_EFD(0x04\|0x08);
571	c->io_ready &= ~SSH_CHAN_IO_EFD(0x04\|0x08);
572	c->efd = -1;
573	c->pfds[2] = -1;
574	}
575	if (*fdp == c->sock) {
576	c->io_want &= ~SSH_CHAN_IO_SOCK(0x10\|0x20);
577	c->io_ready &= ~SSH_CHAN_IO_SOCK(0x10\|0x20);
578	c->sock = -1;
579	c->pfds[3] = -1;
580	}
581
582	ret = close(fd);
583	fdp = -1; / probably redundant */
584	return ret;
585	}
586
587	/* Close all channel fd/socket. */
588	static void
589	channel_close_fds(struct ssh ssh, Channel c)
590	{
591	int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
592
593	channel_close_fd(ssh, c, &c->sock);
594	if (rfd != sock)
595	channel_close_fd(ssh, c, &c->rfd);
596	if (wfd != sock && wfd != rfd)
597	channel_close_fd(ssh, c, &c->wfd);
598	if (efd != sock && efd != rfd && efd != wfd)
599	channel_close_fd(ssh, c, &c->efd);
600	}
601
602	static void
603	fwd_perm_clear(struct permission *perm)
604	{
605	free(perm->host_to_connect);
606	free(perm->listen_host);
607	free(perm->listen_path);
608	memset(perm, 0, sizeof(*perm));
609	}
610
611	/* Returns an printable name for the specified forwarding permission list */
612	static const char *
613	fwd_ident(int who, int where)
614	{
615	if (who == FORWARD_ADM0x100) {
616	if (where == FORWARD_LOCAL(1<<1))
617	return "admin local";
618	else if (where == FORWARD_REMOTE(1))
619	return "admin remote";
620	} else if (who == FORWARD_USER0x101) {
621	if (where == FORWARD_LOCAL(1<<1))
622	return "user local";
623	else if (where == FORWARD_REMOTE(1))
624	return "user remote";
625	}
626	fatal("Unknown forward permission list %d/%d", who, where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 626 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "Unknown forward permission list %d/%d" , who, where);
627	}
628
629	/* Returns the forwarding permission list for the specified direction */
630	static struct permission_set *
631	permission_set_get(struct ssh *ssh, int where)
632	{
633	struct ssh_channels *sc = ssh->chanctxt;
634
635	switch (where) {
636	case FORWARD_LOCAL(1<<1):
637	return &sc->local_perms;
638	break;
639	case FORWARD_REMOTE(1):
640	return &sc->remote_perms;
641	break;
642	default:
643	fatal_f("invalid forwarding direction %d", where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 643 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding direction %d" , where);
644	}
645	}
646
647	/* Returns pointers to the specified forwarding list and its element count */
648	static void
649	permission_set_get_array(struct ssh *ssh, int who, int where,
650	struct permission *permpp, u_int npermpp)
651	{
652	struct permission_set *pset = permission_set_get(ssh, where);
653
654	switch (who) {
655	case FORWARD_USER0x101:
656	*permpp = &pset->permitted_user;
657	*npermpp = &pset->num_permitted_user;
658	break;
659	case FORWARD_ADM0x100:
660	*permpp = &pset->permitted_admin;
661	*npermpp = &pset->num_permitted_admin;
662	break;
663	default:
664	fatal_f("invalid forwarding client %d", who)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding client %d" , who);
665	}
666	}
667
668	/* Adds an entry to the specified forwarding list */
669	static int
670	permission_set_add(struct ssh *ssh, int who, int where,
671	const char *host_to_connect, int port_to_connect,
672	const char listen_host, const char listen_path, int listen_port,
673	Channel *downstream)
674	{
675	struct permission **permp;
676	u_int n, *npermp;
677
678	permission_set_get_array(ssh, who, where, &permp, &npermp);
679
680	if (*npermp >= INT_MAX0x7fffffff)
681	fatal_f("%s overflow", fwd_ident(who, where))sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 681 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%s overflow", fwd_ident (who, where));
682
683	permp = xrecallocarray(permp, npermp, npermp + 1, sizeof(**permp));
684	n = (*npermp)++;
685	#define MAYBE_DUP(s) ((s == NULL((void )0)) ? NULL((void )0) : xstrdup(s))
686	(*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
687	(*permp)[n].port_to_connect = port_to_connect;
688	(*permp)[n].listen_host = MAYBE_DUP(listen_host);
689	(*permp)[n].listen_path = MAYBE_DUP(listen_path);
690	(*permp)[n].listen_port = listen_port;
691	(*permp)[n].downstream = downstream;
692	#undef MAYBE_DUP
693	return (int)n;
694	}
695
696	static void
697	mux_remove_remote_forwardings(struct ssh ssh, Channel c)
698	{
699	struct ssh_channels *sc = ssh->chanctxt;
700	struct permission_set *pset = &sc->local_perms;
701	struct permission *perm;
702	int r;
703	u_int i;
704
705	for (i = 0; i < pset->num_permitted_user; i++) {
706	perm = &pset->permitted_user[i];
707	if (perm->downstream != c)
708	continue;
709
710	/* cancel on the server, since mux client is gone */
711	debug("channel %d: cleanup remote forward for %s:%u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 712 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port)
712	c->self, perm->listen_host, perm->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 712 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port);
713	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
714	(r = sshpkt_put_cstring(ssh,
715	"cancel-tcpip-forward")) != 0 \|\|
716	(r = sshpkt_put_u8(ssh, 0)) != 0 \|\|
717	(r = sshpkt_put_cstring(ssh,
718	channel_rfwd_bind_host(perm->listen_host))) != 0 \|\|
719	(r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 \|\|
720	(r = sshpkt_send(ssh)) != 0) {
721	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 721 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
722	}
723	fwd_perm_clear(perm); /* unregister */
724	}
725	}
726
727	/* Free the channel and close its fd/socket. */
728	void
729	channel_free(struct ssh ssh, Channel c)
730	{
731	struct ssh_channels *sc = ssh->chanctxt;
732	char *s;
733	u_int i, n;
734	Channel *other;
735	struct channel_confirm *cc;
736
737	for (n = 0, i = 0; i < sc->channels_alloc; i++) {
738	if ((other = sc->channels[i]) == NULL((void *)0))
739	continue;
740	n++;
741	/* detach from mux client and prepare for closing */
742	if (c->type == SSH_CHANNEL_MUX_CLIENT16 &&
743	other->type == SSH_CHANNEL_MUX_PROXY20 &&
744	other->mux_ctx == c) {
745	other->mux_ctx = NULL((void *)0);
746	other->type = SSH_CHANNEL_OPEN4;
747	other->istate = CHAN_INPUT_CLOSED3;
748	other->ostate = CHAN_OUTPUT_CLOSED3;
749	}
750	}
751	debug("channel %d: free: %s, nchannels %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 752 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n )
752	c->remote_name ? c->remote_name : "???", n)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 752 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n );
753
754	if (c->type == SSH_CHANNEL_MUX_CLIENT16) {
755	mux_remove_remote_forwardings(ssh, c);
756	free(c->mux_ctx);
757	c->mux_ctx = NULL((void *)0);
758	} else if (c->type == SSH_CHANNEL_MUX_LISTENER15) {
759	free(c->mux_ctx);
760	c->mux_ctx = NULL((void *)0);
761	}
762
763	if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
764	s = channel_open_message(ssh);
765	debug3("channel %d: status: %s", c->self, s)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 765 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: status: %s" , c->self, s);
766	free(s);
767	}
768
769	channel_close_fds(ssh, c);
770	sshbuf_free(c->input);
771	sshbuf_free(c->output);
772	sshbuf_free(c->extended);
773	c->input = c->output = c->extended = NULL((void *)0);
774	free(c->remote_name);
775	c->remote_name = NULL((void *)0);
776	free(c->path);
777	c->path = NULL((void *)0);
778	free(c->listening_addr);
779	c->listening_addr = NULL((void *)0);
780	free(c->xctype);
781	c->xctype = NULL((void *)0);
782	while ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) != NULL((void *)0)) {
783	if (cc->abandon_cb != NULL((void *)0))
784	cc->abandon_cb(ssh, c, cc->ctx);
785	TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void )0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; (cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0);
786	freezero(cc, sizeof(*cc));
787	}
788	if (c->filter_cleanup != NULL((void )0) && c->filter_ctx != NULL((void )0))
789	c->filter_cleanup(ssh, c->self, c->filter_ctx);
790	sc->channels[c->self] = NULL((void *)0);
791	freezero(c, sizeof(*c));
792	}
793
794	void
795	channel_free_all(struct ssh *ssh)
796	{
797	u_int i;
798	struct ssh_channels *sc = ssh->chanctxt;
799
800	for (i = 0; i < sc->channels_alloc; i++)
801	if (sc->channels[i] != NULL((void *)0))
802	channel_free(ssh, sc->channels[i]);
803
804	free(sc->channels);
805	sc->channels = NULL((void *)0);
806	sc->channels_alloc = 0;
807
808	free(sc->x11_saved_display);
809	sc->x11_saved_display = NULL((void *)0);
810
811	free(sc->x11_saved_proto);
812	sc->x11_saved_proto = NULL((void *)0);
813
814	free(sc->x11_saved_data);
815	sc->x11_saved_data = NULL((void *)0);
816	sc->x11_saved_data_len = 0;
817
818	free(sc->x11_fake_data);
819	sc->x11_fake_data = NULL((void *)0);
820	sc->x11_fake_data_len = 0;
821	}
822
823	/*
824	* Closes the sockets/fds of all channels. This is used to close extra file
825	* descriptors after a fork.
826	*/
827	void
828	channel_close_all(struct ssh *ssh)
829	{
830	u_int i;
831
832	for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
833	if (ssh->chanctxt->channels[i] != NULL((void *)0))
834	channel_close_fds(ssh, ssh->chanctxt->channels[i]);
835	}
836
837	/*
838	* Stop listening to channels.
839	*/
840	void
841	channel_stop_listening(struct ssh *ssh)
842	{
843	u_int i;
844	Channel *c;
845
846	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
847	c = ssh->chanctxt->channels[i];
848	if (c != NULL((void *)0)) {
849	switch (c->type) {
850	case SSH_CHANNEL_AUTH_SOCKET6:
851	case SSH_CHANNEL_PORT_LISTENER2:
852	case SSH_CHANNEL_RPORT_LISTENER11:
853	case SSH_CHANNEL_X11_LISTENER1:
854	case SSH_CHANNEL_UNIX_LISTENER18:
855	case SSH_CHANNEL_RUNIX_LISTENER19:
856	channel_close_fd(ssh, c, &c->sock);
857	channel_free(ssh, c);
858	break;
859	}
860	}
861	}
862	}
863
864	/*
865	* Returns true if no channel has too much buffered data, and false if one or
866	* more channel is overfull.
867	*/
868	int
869	channel_not_very_much_buffered_data(struct ssh *ssh)
870	{
871	u_int i;
872	u_int maxsize = ssh_packet_get_maxsize(ssh);
873	Channel *c;
874
875	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
876	c = ssh->chanctxt->channels[i];
877	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_OPEN4)
878	continue;
879	if (sshbuf_len(c->output) > maxsize) {
880	debug2("channel %d: big output buffer %zu > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 881 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize)
881	c->self, sshbuf_len(c->output), maxsize)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 881 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize);
882	return 0;
883	}
884	}
885	return 1;
886	}
887
888	/* Returns true if any channel is still open. */
889	int
890	channel_still_open(struct ssh *ssh)
891	{
892	u_int i;
893	Channel *c;
894
895	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
896	c = ssh->chanctxt->channels[i];
897	if (c == NULL((void *)0))
898	continue;
899	switch (c->type) {
900	case SSH_CHANNEL_X11_LISTENER1:
901	case SSH_CHANNEL_PORT_LISTENER2:
902	case SSH_CHANNEL_RPORT_LISTENER11:
903	case SSH_CHANNEL_MUX_LISTENER15:
904	case SSH_CHANNEL_CLOSED5:
905	case SSH_CHANNEL_AUTH_SOCKET6:
906	case SSH_CHANNEL_DYNAMIC13:
907	case SSH_CHANNEL_RDYNAMIC_OPEN21:
908	case SSH_CHANNEL_CONNECTING12:
909	case SSH_CHANNEL_ZOMBIE14:
910	case SSH_CHANNEL_ABANDONED17:
911	case SSH_CHANNEL_UNIX_LISTENER18:
912	case SSH_CHANNEL_RUNIX_LISTENER19:
913	continue;
914	case SSH_CHANNEL_LARVAL10:
915	continue;
916	case SSH_CHANNEL_OPENING3:
917	case SSH_CHANNEL_OPEN4:
918	case SSH_CHANNEL_RDYNAMIC_FINISH22:
919	case SSH_CHANNEL_X11_OPEN7:
920	case SSH_CHANNEL_MUX_CLIENT16:
921	case SSH_CHANNEL_MUX_PROXY20:
922	return 1;
923	default:
924	fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 924 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type);
925	/* NOTREACHED */
926	}
927	}
928	return 0;
929	}
930
931	/* Returns true if a channel with a TTY is open. */
932	int
933	channel_tty_open(struct ssh *ssh)
934	{
935	u_int i;
936	Channel *c;
937
938	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
939	c = ssh->chanctxt->channels[i];
940	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_OPEN4)
941	continue;
942	if (c->client_tty)
943	return 1;
944	}
945	return 0;
946	}
947
948	/* Returns the id of an open channel suitable for keepaliving */
949	int
950	channel_find_open(struct ssh *ssh)
951	{
952	u_int i;
953	Channel *c;
954
955	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
956	c = ssh->chanctxt->channels[i];
957	if (c == NULL((void *)0) \|\| !c->have_remote_id)
958	continue;
959	switch (c->type) {
960	case SSH_CHANNEL_CLOSED5:
961	case SSH_CHANNEL_DYNAMIC13:
962	case SSH_CHANNEL_RDYNAMIC_OPEN21:
963	case SSH_CHANNEL_RDYNAMIC_FINISH22:
964	case SSH_CHANNEL_X11_LISTENER1:
965	case SSH_CHANNEL_PORT_LISTENER2:
966	case SSH_CHANNEL_RPORT_LISTENER11:
967	case SSH_CHANNEL_MUX_LISTENER15:
968	case SSH_CHANNEL_MUX_CLIENT16:
969	case SSH_CHANNEL_MUX_PROXY20:
970	case SSH_CHANNEL_OPENING3:
971	case SSH_CHANNEL_CONNECTING12:
972	case SSH_CHANNEL_ZOMBIE14:
973	case SSH_CHANNEL_ABANDONED17:
974	case SSH_CHANNEL_UNIX_LISTENER18:
975	case SSH_CHANNEL_RUNIX_LISTENER19:
976	continue;
977	case SSH_CHANNEL_LARVAL10:
978	case SSH_CHANNEL_AUTH_SOCKET6:
979	case SSH_CHANNEL_OPEN4:
980	case SSH_CHANNEL_X11_OPEN7:
981	return i;
982	default:
983	fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 983 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type);
984	/* NOTREACHED */
985	}
986	}
987	return -1;
988	}
989
990	/* Returns the state of the channel's extended usage flag */
991	const char *
992	channel_format_extended_usage(const Channel *c)
993	{
994	if (c->efd == -1)
995	return "closed";
996
997	switch (c->extended_usage) {
998	case CHAN_EXTENDED_WRITE2:
999	return "write";
1000	case CHAN_EXTENDED_READ1:
1001	return "read";
1002	case CHAN_EXTENDED_IGNORE0:
1003	return "ignore";
1004	default:
1005	return "UNKNOWN";
1006	}
1007	}
1008
1009	static char *
1010	channel_format_status(const Channel *c)
1011	{
1012	char ret = NULL((void )0);
1013
1014	xasprintf(&ret, "t%d [%s] %s%u i%u/%zu o%u/%zu e[%s]/%zu "
1015	"fd %d/%d/%d sock %d cc %d io 0x%02x/0x%02x",
1016	c->type, c->xctype != NULL((void *)0) ? c->xctype : c->ctype,
1017	c->have_remote_id ? "r" : "nr", c->remote_id,
1018	c->istate, sshbuf_len(c->input),
1019	c->ostate, sshbuf_len(c->output),
1020	channel_format_extended_usage(c), sshbuf_len(c->extended),
1021	c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan,
1022	c->io_want, c->io_ready);
1023	return ret;
1024	}
1025
1026	/*
1027	* Returns a message describing the currently open forwarded connections,
1028	* suitable for sending to the client. The message contains crlf pairs for
1029	* newlines.
1030	*/
1031	char *
1032	channel_open_message(struct ssh *ssh)
1033	{
1034	struct sshbuf *buf;
1035	Channel *c;
1036	u_int i;
1037	int r;
1038	char cp, ret;
1039
1040	if ((buf = sshbuf_new()) == NULL((void *)0))
1041	fatal_f("sshbuf_new")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1041 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new");
1042	if ((r = sshbuf_putf(buf,
1043	"The following connections are open:\r\n")) != 0)
1044	fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1044 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf");
1045	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
1046	c = ssh->chanctxt->channels[i];
1047	if (c == NULL((void *)0))
1048	continue;
1049	switch (c->type) {
1050	case SSH_CHANNEL_X11_LISTENER1:
1051	case SSH_CHANNEL_PORT_LISTENER2:
1052	case SSH_CHANNEL_RPORT_LISTENER11:
1053	case SSH_CHANNEL_CLOSED5:
1054	case SSH_CHANNEL_AUTH_SOCKET6:
1055	case SSH_CHANNEL_ZOMBIE14:
1056	case SSH_CHANNEL_ABANDONED17:
1057	case SSH_CHANNEL_MUX_LISTENER15:
1058	case SSH_CHANNEL_UNIX_LISTENER18:
1059	case SSH_CHANNEL_RUNIX_LISTENER19:
1060	continue;
1061	case SSH_CHANNEL_LARVAL10:
1062	case SSH_CHANNEL_OPENING3:
1063	case SSH_CHANNEL_CONNECTING12:
1064	case SSH_CHANNEL_DYNAMIC13:
1065	case SSH_CHANNEL_RDYNAMIC_OPEN21:
1066	case SSH_CHANNEL_RDYNAMIC_FINISH22:
1067	case SSH_CHANNEL_OPEN4:
1068	case SSH_CHANNEL_X11_OPEN7:
1069	case SSH_CHANNEL_MUX_PROXY20:
1070	case SSH_CHANNEL_MUX_CLIENT16:
1071	cp = channel_format_status(c);
1072	if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n",
1073	c->self, c->remote_name, cp)) != 0) {
1074	free(cp);
1075	fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1075 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf");
1076	}
1077	free(cp);
1078	continue;
1079	default:
1080	fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1080 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type);
1081	/* NOTREACHED */
1082	}
1083	}
1084	if ((ret = sshbuf_dup_string(buf)) == NULL((void *)0))
1085	fatal_f("sshbuf_dup_string")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1085 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_dup_string");
1086	sshbuf_free(buf);
1087	return ret;
1088	}
1089
1090	static void
1091	open_preamble(struct ssh ssh, const char where, Channel c, const char type)
1092	{
1093	int r;
1094
1095	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN90)) != 0 \|\|
1096	(r = sshpkt_put_cstring(ssh, type)) != 0 \|\|
1097	(r = sshpkt_put_u32(ssh, c->self)) != 0 \|\|
1098	(r = sshpkt_put_u32(ssh, c->local_window)) != 0 \|\|
1099	(r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
1100	fatal_r(r, "%s: channel %i: open", where, c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1100 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "%s: channel %i: open", where , c->self);
1101	}
1102	}
1103
1104	void
1105	channel_send_open(struct ssh *ssh, int id)
1106	{
1107	Channel *c = channel_lookup(ssh, id);
1108	int r;
1109
1110	if (c == NULL((void *)0)) {
1111	logit("channel_send_open: %d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1111 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel_send_open: %d: bad id" , id);
1112	return;
1113	}
1114	debug2("channel %d: send open", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1114 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: send open" , id);
1115	open_preamble(ssh, __func__, c, c->ctype);
1116	if ((r = sshpkt_send(ssh)) != 0)
1117	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1117 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
1118	}
1119
1120	void
1121	channel_request_start(struct ssh ssh, int id, char service, int wantconfirm)
1122	{
1123	Channel *c = channel_lookup(ssh, id);
1124	int r;
1125
1126	if (c == NULL((void *)0)) {
1127	logit_f("%d: unknown channel id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1127 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown channel id" , id);
1128	return;
1129	}
1130	if (!c->have_remote_id)
1131	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1131 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
1132
1133	debug2("channel %d: request %s confirm %d", id, service, wantconfirm)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1133 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: request %s confirm %d" , id, service, wantconfirm);
1134	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST98)) != 0 \|\|
1135	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
1136	(r = sshpkt_put_cstring(ssh, service)) != 0 \|\|
1137	(r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
1138	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1138 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
1139	}
1140	}
1141
1142	void
1143	channel_register_status_confirm(struct ssh *ssh, int id,
1144	channel_confirm_cb cb, channel_confirm_abandon_cb abandon_cb, void *ctx)
1145	{
1146	struct channel_confirm *cc;
1147	Channel *c;
1148
1149	if ((c = channel_lookup(ssh, id)) == NULL((void *)0))
1150	fatal_f("%d: bad id", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1150 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%d: bad id", id);
1151
1152	cc = xcalloc(1, sizeof(*cc));
1153	cc->cb = cb;
1154	cc->abandon_cb = abandon_cb;
1155	cc->ctx = ctx;
1156	TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry)do { (cc)->entry.tqe_next = ((void )0); (cc)->entry.tqe_prev = (&c->status_confirms)->tqh_last; (&c->status_confirms )->tqh_last = (cc); (&c->status_confirms)->tqh_last = &(cc)->entry.tqe_next; } while (0);
1157	}
1158
1159	void
1160	channel_register_open_confirm(struct ssh *ssh, int id,
1161	channel_open_fn fn, void ctx)
1162	{
1163	Channel *c = channel_lookup(ssh, id);
1164
1165	if (c == NULL((void *)0)) {
1166	logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1166 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id);
1167	return;
1168	}
1169	c->open_confirm = fn;
1170	c->open_confirm_ctx = ctx;
1171	}
1172
1173	void
1174	channel_register_cleanup(struct ssh *ssh, int id,
1175	channel_callback_fn *fn, int do_close)
1176	{
1177	Channel *c = channel_by_id(ssh, id);
1178
1179	if (c == NULL((void *)0)) {
1180	logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1180 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id);
1181	return;
1182	}
1183	c->detach_user = fn;
1184	c->detach_close = do_close;
1185	}
1186
1187	void
1188	channel_cancel_cleanup(struct ssh *ssh, int id)
1189	{
1190	Channel *c = channel_by_id(ssh, id);
1191
1192	if (c == NULL((void *)0)) {
1193	logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1193 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id);
1194	return;
1195	}
1196	c->detach_user = NULL((void *)0);
1197	c->detach_close = 0;
1198	}
1199
1200	void
1201	channel_register_filter(struct ssh ssh, int id, channel_infilter_fn ifn,
1202	channel_outfilter_fn ofn, channel_filter_cleanup_fn cfn, void *ctx)
1203	{
1204	Channel *c = channel_lookup(ssh, id);
1205
1206	if (c == NULL((void *)0)) {
1207	logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1207 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id);
1208	return;
1209	}
1210	c->input_filter = ifn;
1211	c->output_filter = ofn;
1212	c->filter_ctx = ctx;
1213	c->filter_cleanup = cfn;
1214	}
1215
1216	void
1217	channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
1218	int extusage, int nonblock, int is_tty, u_int window_max)
1219	{
1220	Channel *c = channel_lookup(ssh, id);
1221	int r;
1222
1223	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_LARVAL10)
1224	fatal("channel_activate for non-larval channel %d.", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1224 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel_activate for non-larval channel %d." , id);
1225	if (!c->have_remote_id)
1226	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1226 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
1227
1228	channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1229	c->type = SSH_CHANNEL_OPEN4;
1230	channel_set_used_time(ssh, c);
1231	c->local_window = c->local_window_max = window_max;
1232
1233	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 \|\|
1234	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
1235	(r = sshpkt_put_u32(ssh, c->local_window)) != 0 \|\|
1236	(r = sshpkt_send(ssh)) != 0)
1237	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1237 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
1238	}
1239
1240	static void
1241	channel_pre_listener(struct ssh ssh, Channel c)
1242	{
1243	c->io_want = SSH_CHAN_IO_SOCK_R0x10;
1244	}
1245
1246	static void
1247	channel_pre_connecting(struct ssh ssh, Channel c)
1248	{
1249	debug3("channel %d: waiting for connection", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1249 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: waiting for connection" , c->self);
1250	c->io_want = SSH_CHAN_IO_SOCK_W0x20;
1251	}
1252
1253	static void
1254	channel_pre_open(struct ssh ssh, Channel c)
1255	{
1256	c->io_want = 0;
1257	if (c->istate == CHAN_INPUT_OPEN0 &&
1258	c->remote_window > 0 &&
1259	sshbuf_len(c->input) < c->remote_window &&
1260	sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0)
1261	c->io_want \|= SSH_CHAN_IO_RFD0x01;
1262	if (c->ostate == CHAN_OUTPUT_OPEN0 \|\|
1263	c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) {
1264	if (sshbuf_len(c->output) > 0) {
1265	c->io_want \|= SSH_CHAN_IO_WFD0x02;
1266	} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) {
1267	if (CHANNEL_EFD_OUTPUT_ACTIVE(c)(c->extended_usage == 2 && c->efd != -1 && (!(c->flags & (0x08\|0x02)) \|\| sshbuf_len(c->extended ) > 0)))
1268	debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended))
1269	"obuf_empty delayed efd %d/(%zu)", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended))
1270	c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended));
1271	else
1272	chan_obuf_empty(ssh, c);
1273	}
1274	}
1275	/** XXX check close conditions, too */
1276	if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED3 &&
1277	c->ostate == CHAN_OUTPUT_CLOSED3)) {
1278	if (c->extended_usage == CHAN_EXTENDED_WRITE2 &&
1279	sshbuf_len(c->extended) > 0)
1280	c->io_want \|= SSH_CHAN_IO_EFD_W0x08;
1281	else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT0x04) &&
1282	(c->extended_usage == CHAN_EXTENDED_READ1 \|\|
1283	c->extended_usage == CHAN_EXTENDED_IGNORE0) &&
1284	sshbuf_len(c->extended) < c->remote_window)
1285	c->io_want \|= SSH_CHAN_IO_EFD_R0x04;
1286	}
1287	/* XXX: What about efd? races? */
1288	}
1289
1290	/*
1291	* This is a special state for X11 authentication spoofing. An opened X11
1292	* connection (when authentication spoofing is being done) remains in this
1293	* state until the first packet has been completely read. The authentication
1294	* data in that packet is then substituted by the real data if it matches the
1295	* fake data, and the channel is put into normal mode.
1296	* XXX All this happens at the client side.
1297	* Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1298	*/
1299	static int
1300	x11_open_helper(struct ssh ssh, struct sshbuf b)
1301	{
1302	struct ssh_channels *sc = ssh->chanctxt;
1303	u_char *ucp;
1304	u_int proto_len, data_len;
1305
1306	/* Is this being called after the refusal deadline? */
1307	if (sc->x11_refuse_time != 0 &&
1308	monotime() >= sc->x11_refuse_time) {
1309	verbose("Rejected X11 connection after ForwardX11Timeout "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1310 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired")
1310	"expired")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1310 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired");
1311	return -1;
1312	}
1313
1314	/* Check if the fixed size part of the packet is in buffer. */
1315	if (sshbuf_len(b) < 12)
1316	return 0;
1317
1318	/* Parse the lengths of variable-length fields. */
1319	ucp = sshbuf_mutable_ptr(b);
1320	if (ucp[0] == 0x42) { /* Byte order MSB first. */
1321	proto_len = 256 * ucp[6] + ucp[7];
1322	data_len = 256 * ucp[8] + ucp[9];
1323	} else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1324	proto_len = ucp[6] + 256 * ucp[7];
1325	data_len = ucp[8] + 256 * ucp[9];
1326	} else {
1327	debug2("Initial X11 packet contains bad byte order byte: 0x%x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1328 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0])
1328	ucp[0])sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1328 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0]);
1329	return -1;
1330	}
1331
1332	/* Check if the whole packet is in buffer. */
1333	if (sshbuf_len(b) <
1334	12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1335	return 0;
1336
1337	/* Check if authentication protocol matches. */
1338	if (proto_len != strlen(sc->x11_saved_proto) \|\|
1339	memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1340	debug2("X11 connection uses different authentication protocol.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 connection uses different authentication protocol." );
1341	return -1;
1342	}
1343	/* Check if authentication data matches our fake data. */
1344	if (data_len != sc->x11_fake_data_len \|\|
1345	timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1346	sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1347	debug2("X11 auth data does not match fake data.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1347 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 auth data does not match fake data." );
1348	return -1;
1349	}
1350	/* Check fake data length */
1351	if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1352	error("X11 fake_data_len %d != saved_data_len %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1353 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len)
1353	sc->x11_fake_data_len, sc->x11_saved_data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1353 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len);
1354	return -1;
1355	}
1356	/*
1357	* Received authentication protocol and data match
1358	* our fake data. Substitute the fake data with real
1359	* data.
1360	*/
1361	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1362	sc->x11_saved_data, sc->x11_saved_data_len);
1363	return 1;
1364	}
1365
1366	void
1367	channel_force_close(struct ssh ssh, Channel c, int abandon)
1368	{
1369	debug3_f("channel %d: forcibly closing", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1369 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: forcibly closing" , c->self);
1370	if (c->istate == CHAN_INPUT_OPEN0)
1371	chan_read_failed(ssh, c);
1372	if (c->istate == CHAN_INPUT_WAIT_DRAIN1) {
1373	sshbuf_reset(c->input);
1374	chan_ibuf_empty(ssh, c);
1375	}
1376	if (c->ostate == CHAN_OUTPUT_OPEN0 \|\|
1377	c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) {
1378	sshbuf_reset(c->output);
1379	chan_write_failed(ssh, c);
1380	}
1381	if (c->detach_user)
1382	c->detach_user(ssh, c->self, 1, NULL((void *)0));
1383	if (c->efd != -1)
1384	channel_close_fd(ssh, c, &c->efd);
1385	if (abandon)
1386	c->type = SSH_CHANNEL_ABANDONED17;
1387	/* exempt from inactivity timeouts */
1388	c->inactive_deadline = 0;
1389	c->lastused = 0;
1390	}
1391
1392	static void
1393	channel_pre_x11_open(struct ssh ssh, Channel c)
1394	{
1395	int ret = x11_open_helper(ssh, c->output);
1396
1397	/* c->force_drain = 1; */
1398
1399	if (ret == 1) {
1400	c->type = SSH_CHANNEL_OPEN4;
1401	channel_set_used_time(ssh, c);
1402	channel_pre_open(ssh, c);
1403	} else if (ret == -1) {
1404	logit("X11 connection rejected because of wrong "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1405 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "X11 connection rejected because of wrong " "authentication.")
1405	"authentication.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1405 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "X11 connection rejected because of wrong " "authentication.");
1406	debug2("X11 rejected %d i%d/o%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate)
1407	c->self, c->istate, c->ostate)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate);
1408	channel_force_close(ssh, c, 0);
1409	}
1410	}
1411
1412	static void
1413	channel_pre_mux_client(struct ssh ssh, Channel c)
1414	{
1415	c->io_want = 0;
1416	if (c->istate == CHAN_INPUT_OPEN0 && !c->mux_pause &&
1417	sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0)
1418	c->io_want \|= SSH_CHAN_IO_RFD0x01;
1419	if (c->istate == CHAN_INPUT_WAIT_DRAIN1) {
1420	/* clear buffer immediately (discard any partial packet) */
1421	sshbuf_reset(c->input);
1422	chan_ibuf_empty(ssh, c);
1423	/* Start output drain. XXX just kill chan? */
1424	chan_rcvd_oclose(ssh, c);
1425	}
1426	if (c->ostate == CHAN_OUTPUT_OPEN0 \|\|
1427	c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) {
1428	if (sshbuf_len(c->output) > 0)
1429	c->io_want \|= SSH_CHAN_IO_WFD0x02;
1430	else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1)
1431	chan_obuf_empty(ssh, c);
1432	}
1433	}
1434
1435	/* try to decode a socks4 header */
1436	static int
1437	channel_decode_socks4(Channel c, struct sshbuf input, struct sshbuf *output)
1438	{
1439	const u_char *p;
1440	char *host;
1441	u_int len, have, i, found, need;
1442	char username[256];
1443	struct {
1444	u_int8_t version;
1445	u_int8_t command;
1446	u_int16_t dest_port;
1447	struct in_addr dest_addr;
1448	} s4_req, s4_rsp;
1449	int r;
1450
1451	debug2("channel %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1451 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4" , c->self);
1452
1453	have = sshbuf_len(input);
1454	len = sizeof(s4_req);
1455	if (have < len)
1456	return 0;
1457	p = sshbuf_ptr(input);
1458
1459	need = 1;
1460	/* SOCKS4A uses an invalid IP address 0.0.0.x */
1461	if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1462	debug2("channel %d: socks4a request", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1462 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks4a request" , c->self);
1463	/* ... and needs an extra string (the hostname) */
1464	need = 2;
1465	}
1466	/* Check for terminating NUL on the string(s) */
1467	for (found = 0, i = len; i < have; i++) {
1468	if (p[i] == '\0') {
1469	found++;
1470	if (found == need)
1471	break;
1472	}
1473	if (i > 1024) {
1474	/* the peer is probably sending garbage */
1475	debug("channel %d: decode socks4: too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1476 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self)
1476	c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1476 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self);
1477	return -1;
1478	}
1479	}
1480	if (found < need)
1481	return 0;
1482	if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 \|\|
1483	(r = sshbuf_get(input, &s4_req.command, 1)) != 0 \|\|
1484	(r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 \|\|
1485	(r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1486	debug_r(r, "channels %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1486 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channels %d: decode socks4" , c->self);
1487	return -1;
1488	}
1489	have = sshbuf_len(input);
1490	p = sshbuf_ptr(input);
1491	if (memchr(p, '\0', have) == NULL((void *)0)) {
1492	error("channel %d: decode socks4: unterminated user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1492 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4: unterminated user" , c->self);
1493	return -1;
1494	}
1495	len = strlen(p);
1496	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1496 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4: user %s/%d" , c->self, p, len);
1497	len++; /* trailing '\0' */
1498	strlcpy(username, p, sizeof(username));
1499	if ((r = sshbuf_consume(input, len)) != 0)
1500	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1500 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1501	free(c->path);
1502	c->path = NULL((void *)0);
1503	if (need == 1) { /* SOCKS4: one string */
1504	host = inet_ntoa(s4_req.dest_addr);
1505	c->path = xstrdup(host);
1506	} else { /* SOCKS4A: two strings */
1507	have = sshbuf_len(input);
1508	p = sshbuf_ptr(input);
1509	if (memchr(p, '\0', have) == NULL((void *)0)) {
1510	error("channel %d: decode socks4a: host not nul "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1511 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self)
1511	"terminated", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1511 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self);
1512	return -1;
1513	}
1514	len = strlen(p);
1515	debug2("channel %d: decode socks4a: host %s/%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1516 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len)
1516	c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1516 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len);
1517	len++; /* trailing '\0' */
1518	if (len > NI_MAXHOST256) {
1519	error("channel %d: hostname \"%.100s\" too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1520 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p)
1520	c->self, p)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1520 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p);
1521	return -1;
1522	}
1523	c->path = xstrdup(p);
1524	if ((r = sshbuf_consume(input, len)) != 0)
1525	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1525 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1526	}
1527	c->host_port = ntohs(s4_req.dest_port)(__uint16_t)(__builtin_constant_p(s4_req.dest_port) ? (__uint16_t )(((__uint16_t)(s4_req.dest_port) & 0xffU) << 8 \| ( (__uint16_t)(s4_req.dest_port) & 0xff00U) >> 8) : __swap16md (s4_req.dest_port));
1528
1529	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1530 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command)
1530	c->self, c->path, c->host_port, s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1530 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command);
1531
1532	if (s4_req.command != 1) {
1533	debug("channel %d: cannot handle: %s cn %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command )
1534	c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command );
1535	return -1;
1536	}
1537	s4_rsp.version = 0; /* vn: 0 for reply */
1538	s4_rsp.command = 90; /* cd: req granted */
1539	s4_rsp.dest_port = 0; /* ignored */
1540	s4_rsp.dest_addr.s_addr = INADDR_ANY((u_int32_t)(0x00000000)); /* ignored */
1541	if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0)
1542	fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1542 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self);
1543	return 1;
1544	}
1545
1546	/* try to decode a socks5 header */
1547	#define SSH_SOCKS5_AUTHDONE0x1000 0x1000
1548	#define SSH_SOCKS5_NOAUTH0x00 0x00
1549	#define SSH_SOCKS5_IPV40x01 0x01
1550	#define SSH_SOCKS5_DOMAIN0x03 0x03
1551	#define SSH_SOCKS5_IPV60x04 0x04
1552	#define SSH_SOCKS5_CONNECT0x01 0x01
1553	#define SSH_SOCKS5_SUCCESS0x00 0x00
1554
1555	static int
1556	channel_decode_socks5(Channel c, struct sshbuf input, struct sshbuf *output)
1557	{
1558	/* XXX use get/put_u8 instead of trusting struct padding */
1559	struct {
1560	u_int8_t version;
1561	u_int8_t command;
1562	u_int8_t reserved;
1563	u_int8_t atyp;
1564	} s5_req, s5_rsp;
1565	u_int16_t dest_port;
1566	char dest_addr[255+1], ntop[INET6_ADDRSTRLEN46];
1567	const u_char *p;
1568	u_int have, need, i, found, nmethods, addrlen, af;
1569	int r;
1570
1571	debug2("channel %d: decode socks5", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1571 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks5" , c->self);
1572	p = sshbuf_ptr(input);
1573	if (p[0] != 0x05)
1574	return -1;
1575	have = sshbuf_len(input);
1576	if (!(c->flags & SSH_SOCKS5_AUTHDONE0x1000)) {
1577	/* format: ver \| nmethods \| methods */
1578	if (have < 2)
1579	return 0;
1580	nmethods = p[1];
1581	if (have < nmethods + 2)
1582	return 0;
1583	/* look for method: "NO AUTHENTICATION REQUIRED" */
1584	for (found = 0, i = 2; i < nmethods + 2; i++) {
1585	if (p[i] == SSH_SOCKS5_NOAUTH0x00) {
1586	found = 1;
1587	break;
1588	}
1589	}
1590	if (!found) {
1591	debug("channel %d: method SSH_SOCKS5_NOAUTH not found",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1592 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self)
1592	c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1592 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self);
1593	return -1;
1594	}
1595	if ((r = sshbuf_consume(input, nmethods + 2)) != 0)
1596	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1596 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1597	/* version, method */
1598	if ((r = sshbuf_put_u8(output, 0x05)) != 0 \|\|
1599	(r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH0x00)) != 0)
1600	fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1600 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self);
1601	c->flags \|= SSH_SOCKS5_AUTHDONE0x1000;
1602	debug2("channel %d: socks5 auth done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1602 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 auth done" , c->self);
1603	return 0; /* need more */
1604	}
1605	debug2("channel %d: socks5 post auth", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1605 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 post auth" , c->self);
1606	if (have < sizeof(s5_req)+1)
1607	return 0; /* need more */
1608	memcpy(&s5_req, p, sizeof(s5_req));
1609	if (s5_req.version != 0x05 \|\|
1610	s5_req.command != SSH_SOCKS5_CONNECT0x01 \|\|
1611	s5_req.reserved != 0x00) {
1612	debug2("channel %d: only socks5 connect supported", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1612 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: only socks5 connect supported" , c->self);
1613	return -1;
1614	}
1615	switch (s5_req.atyp){
1616	case SSH_SOCKS5_IPV40x01:
1617	addrlen = 4;
1618	af = AF_INET2;
1619	break;
1620	case SSH_SOCKS5_DOMAIN0x03:
1621	addrlen = p[sizeof(s5_req)];
1622	af = -1;
1623	break;
1624	case SSH_SOCKS5_IPV60x04:
1625	addrlen = 16;
1626	af = AF_INET624;
1627	break;
1628	default:
1629	debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1629 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: bad socks5 atyp %d" , c->self, s5_req.atyp);
1630	return -1;
1631	}
1632	need = sizeof(s5_req) + addrlen + 2;
1633	if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03)
1634	need++;
1635	if (have < need)
1636	return 0;
1637	if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0)
1638	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1638 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1639	if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) {
1640	/* host string length */
1641	if ((r = sshbuf_consume(input, 1)) != 0)
1642	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1642 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1643	}
1644	if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 \|\|
1645	(r = sshbuf_get(input, &dest_port, 2)) != 0) {
1646	debug_r(r, "channel %d: parse addr/port", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1646 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channel %d: parse addr/port" , c->self);
1647	return -1;
1648	}
1649	dest_addr[addrlen] = '\0';
1650	free(c->path);
1651	c->path = NULL((void *)0);
1652	if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) {
1653	if (addrlen >= NI_MAXHOST256) {
1654	error("channel %d: dynamic request: socks5 hostname "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1655 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr)
1655	"\"%.100s\" too long", c->self, dest_addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1655 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr);
1656	return -1;
1657	}
1658	c->path = xstrdup(dest_addr);
1659	} else {
1660	if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL((void *)0))
1661	return -1;
1662	c->path = xstrdup(ntop);
1663	}
1664	c->host_port = ntohs(dest_port)(__uint16_t)(__builtin_constant_p(dest_port) ? (__uint16_t)(( (__uint16_t)(dest_port) & 0xffU) << 8 \| ((__uint16_t )(dest_port) & 0xff00U) >> 8) : __swap16md(dest_port ));
1665
1666	debug2("channel %d: dynamic request: socks5 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1667 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command)
1667	c->self, c->path, c->host_port, s5_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1667 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command);
1668
1669	s5_rsp.version = 0x05;
1670	s5_rsp.command = SSH_SOCKS5_SUCCESS0x00;
1671	s5_rsp.reserved = 0; /* ignored */
1672	s5_rsp.atyp = SSH_SOCKS5_IPV40x01;
1673	dest_port = 0; /* ignored */
1674
1675	if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 \|\|
1676	(r = sshbuf_put_u32(output, ntohl(INADDR_ANY)(__uint32_t)(__builtin_constant_p(((u_int32_t)(0x00000000))) ? (__uint32_t)(((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff ) << 24 \| ((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff00) << 8 \| ((__uint32_t)(((u_int32_t)(0x00000000)) ) & 0xff0000) >> 8 \| ((__uint32_t)(((u_int32_t)(0x00000000 ))) & 0xff000000) >> 24) : __swap32md(((u_int32_t)( 0x00000000)))))) != 0 \|\|
1677	(r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1678	fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1678 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self);
1679	return 1;
1680	}
1681
1682	Channel *
1683	channel_connect_stdio_fwd(struct ssh *ssh,
1684	const char *host_to_connect, int port_to_connect,
1685	int in, int out, int nonblock)
1686	{
1687	Channel *c;
1688
1689	debug_f("%s:%d", host_to_connect, port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1689 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s:%d", host_to_connect , port_to_connect);
1690
1691	c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING3, in, out,
1692	-1, CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024),
1693	0, "stdio-forward", nonblock);
1694
1695	c->path = xstrdup(host_to_connect);
1696	c->host_port = port_to_connect;
1697	c->listening_port = 0;
1698	c->force_drain = 1;
1699
1700	channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1701	port_open_helper(ssh, c, port_to_connect == PORT_STREAMLOCAL-2 ?
1702	"direct-streamlocal@openssh.com" : "direct-tcpip");
1703
1704	return c;
1705	}
1706
1707	/* dynamic port forwarding */
1708	static void
1709	channel_pre_dynamic(struct ssh ssh, Channel c)
1710	{
1711	const u_char *p;
1712	u_int have;
1713	int ret;
1714
1715	c->io_want = 0;
1716	have = sshbuf_len(c->input);
1717	debug2("channel %d: pre_dynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1717 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: have %d" , c->self, have);
1718	/* sshbuf_dump(c->input, stderr); */
1719	/* check if the fixed size part of the packet is in buffer. */
1720	if (have < 3) {
1721	/* need more */
1722	c->io_want \|= SSH_CHAN_IO_RFD0x01;
1723	return;
1724	}
1725	/* try to guess the protocol */
1726	p = sshbuf_ptr(c->input);
1727	/* XXX sshbuf_peek_u8? */
1728	switch (p[0]) {
1729	case 0x04:
1730	ret = channel_decode_socks4(c, c->input, c->output);
1731	break;
1732	case 0x05:
1733	ret = channel_decode_socks5(c, c->input, c->output);
1734	break;
1735	default:
1736	ret = -1;
1737	break;
1738	}
1739	if (ret < 0) {
1740	chan_mark_dead(ssh, c);
1741	} else if (ret == 0) {
1742	debug2("channel %d: pre_dynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1742 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: need more" , c->self);
1743	/* need more */
1744	c->io_want \|= SSH_CHAN_IO_RFD0x01;
1745	if (sshbuf_len(c->output))
1746	c->io_want \|= SSH_CHAN_IO_WFD0x02;
1747	} else {
1748	/* switch to the next state */
1749	c->type = SSH_CHANNEL_OPENING3;
1750	port_open_helper(ssh, c, "direct-tcpip");
1751	}
1752	}
1753
1754	/* simulate read-error */
1755	static void
1756	rdynamic_close(struct ssh ssh, Channel c)
1757	{
1758	c->type = SSH_CHANNEL_OPEN4;
1759	channel_force_close(ssh, c, 0);
1760	}
1761
1762	/* reverse dynamic port forwarding */
1763	static void
1764	channel_before_prepare_io_rdynamic(struct ssh ssh, Channel c)
1765	{
1766	const u_char *p;
1767	u_int have, len;
1768	int r, ret;
1769
1770	have = sshbuf_len(c->output);
1771	debug2("channel %d: pre_rdynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1771 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: have %d" , c->self, have);
1772	/* sshbuf_dump(c->output, stderr); */
1773	/* EOF received */
1774	if (c->flags & CHAN_EOF_RCVD0x08) {
1775	if ((r = sshbuf_consume(c->output, have)) != 0)
1776	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1776 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1777	rdynamic_close(ssh, c);
1778	return;
1779	}
1780	/* check if the fixed size part of the packet is in buffer. */
1781	if (have < 3)
1782	return;
1783	/* try to guess the protocol */
1784	p = sshbuf_ptr(c->output);
1785	switch (p[0]) {
1786	case 0x04:
1787	/* switch input/output for reverse forwarding */
1788	ret = channel_decode_socks4(c, c->output, c->input);
1789	break;
1790	case 0x05:
1791	ret = channel_decode_socks5(c, c->output, c->input);
1792	break;
1793	default:
1794	ret = -1;
1795	break;
1796	}
1797	if (ret < 0) {
1798	rdynamic_close(ssh, c);
1799	} else if (ret == 0) {
1800	debug2("channel %d: pre_rdynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1800 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: need more" , c->self);
1801	/* send socks request to peer */
1802	len = sshbuf_len(c->input);
1803	if (len > 0 && len < c->remote_window) {
1804	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 \|\|
1805	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
1806	(r = sshpkt_put_stringb(ssh, c->input)) != 0 \|\|
1807	(r = sshpkt_send(ssh)) != 0) {
1808	fatal_fr(r, "channel %i: rdynamic", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1808 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: rdynamic", c ->self);
1809	}
1810	if ((r = sshbuf_consume(c->input, len)) != 0)
1811	fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1811 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self);
1812	c->remote_window -= len;
1813	}
1814	} else if (rdynamic_connect_finish(ssh, c) < 0) {
1815	/* the connect failed */
1816	rdynamic_close(ssh, c);
1817	}
1818	}
1819
1820	/* This is our fake X11 server socket. */
1821	static void
1822	channel_post_x11_listener(struct ssh ssh, Channel c)
1823	{
1824	Channel *nc;
1825	struct sockaddr_storage addr;
1826	int r, newsock, oerrno, remote_port;
1827	socklen_t addrlen;
1828	char buf[16384], *remote_ipaddr;
1829
1830	if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0)
1831	return;
1832
1833	debug("X11 connection requested.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1833 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "X11 connection requested." );
1834	addrlen = sizeof(addr);
1835	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1836	if (c->single_connection) {
1837	oerrno = errno(*__errno());
1838	debug2("single_connection: closing X11 listener.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1838 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "single_connection: closing X11 listener." );
1839	channel_close_fd(ssh, c, &c->sock);
1840	chan_mark_dead(ssh, c);
1841	errno(*__errno()) = oerrno;
1842	}
1843	if (newsock == -1) {
1844	if (errno(__errno()) != EINTR4 && errno(__errno()) != EWOULDBLOCK35 &&
1845	errno(*__errno()) != ECONNABORTED53)
1846	error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1846 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "accept: %.100s", strerror ((__errno())));
1847	if (errno(__errno()) == EMFILE24 \|\| errno(__errno()) == ENFILE23)
1848	c->notbefore = monotime() + 1;
1849	return;
1850	}
1851	set_nodelay(newsock);
1852	remote_ipaddr = get_peer_ipaddr(newsock);
1853	remote_port = get_peer_port(newsock);
1854	snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1855	remote_ipaddr, remote_port);
1856
1857	nc = channel_new(ssh, "x11-connection",
1858	SSH_CHANNEL_OPENING3, newsock, newsock, -1,
1859	c->local_window_max, c->local_maxpacket, 0, buf, 1);
1860	open_preamble(ssh, __func__, nc, "x11");
1861	if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 \|\|
1862	(r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1863	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1863 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1864	}
1865	if ((r = sshpkt_send(ssh)) != 0)
1866	fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1866 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self);
1867	free(remote_ipaddr);
1868	}
1869
1870	static void
1871	port_open_helper(struct ssh ssh, Channel c, char *rtype)
1872	{
1873	char *local_ipaddr = get_local_ipaddr(c->sock);
1874	int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1875	char *remote_ipaddr = get_peer_ipaddr(c->sock);
1876	int remote_port = get_peer_port(c->sock);
1877	int r;
1878
1879	if (remote_port == -1) {
1880	/* Fake addr/port to appease peers that validate it (Tectia) */
1881	free(remote_ipaddr);
1882	remote_ipaddr = xstrdup("127.0.0.1");
1883	remote_port = 65535;
1884	}
1885
1886	free(c->remote_name);
1887	xasprintf(&c->remote_name,
1888	"%s: listening port %d for %.100s port %d, "
1889	"connect from %.200s port %d to %.100s port %d",
1890	rtype, c->listening_port, c->path, c->host_port,
1891	remote_ipaddr, remote_port, local_ipaddr, local_port);
1892
1893	open_preamble(ssh, __func__, c, rtype);
1894	if (strcmp(rtype, "direct-tcpip") == 0) {
1895	/* target host, port */
1896	if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 \|\|
1897	(r = sshpkt_put_u32(ssh, c->host_port)) != 0)
1898	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1898 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1899	} else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1900	/* target path */
1901	if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1902	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1902 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1903	} else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1904	/* listen path */
1905	if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1906	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1906 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1907	} else {
1908	/* listen address, port */
1909	if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 \|\|
1910	(r = sshpkt_put_u32(ssh, local_port)) != 0)
1911	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1911 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1912	}
1913	if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1914	/* reserved for future owner/mode info */
1915	if ((r = sshpkt_put_cstring(ssh, "")) != 0)
1916	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1916 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1917	} else {
1918	/* originator host and port */
1919	if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 \|\|
1920	(r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0)
1921	fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1921 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self);
1922	}
1923	if ((r = sshpkt_send(ssh)) != 0)
1924	fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1924 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self);
1925	free(remote_ipaddr);
1926	free(local_ipaddr);
1927	}
1928
1929	void
1930	channel_set_x11_refuse_time(struct ssh *ssh, time_t refuse_time)
1931	{
1932	ssh->chanctxt->x11_refuse_time = refuse_time;
1933	}
1934
1935	/*
1936	* This socket is listening for connections to a forwarded TCP/IP port.
1937	*/
1938	static void
1939	channel_post_port_listener(struct ssh ssh, Channel c)
1940	{
1941	Channel *nc;
1942	struct sockaddr_storage addr;
1943	int newsock, nextstate;
1944	socklen_t addrlen;
1945	char *rtype;
1946
1947	if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0)
1948	return;
1949
1950	debug("Connection to port %d forwarding to %.100s port %d requested.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1951 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port)
1951	c->listening_port, c->path, c->host_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1951 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port);
1952
1953	if (c->type == SSH_CHANNEL_RPORT_LISTENER11) {
1954	nextstate = SSH_CHANNEL_OPENING3;
1955	rtype = "forwarded-tcpip";
1956	} else if (c->type == SSH_CHANNEL_RUNIX_LISTENER19) {
1957	nextstate = SSH_CHANNEL_OPENING3;
1958	rtype = "forwarded-streamlocal@openssh.com";
1959	} else if (c->host_port == PORT_STREAMLOCAL-2) {
1960	nextstate = SSH_CHANNEL_OPENING3;
1961	rtype = "direct-streamlocal@openssh.com";
1962	} else if (c->host_port == 0) {
1963	nextstate = SSH_CHANNEL_DYNAMIC13;
1964	rtype = "dynamic-tcpip";
1965	} else {
1966	nextstate = SSH_CHANNEL_OPENING3;
1967	rtype = "direct-tcpip";
1968	}
1969
1970	addrlen = sizeof(addr);
1971	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1972	if (newsock == -1) {
1973	if (errno(__errno()) != EINTR4 && errno(__errno()) != EWOULDBLOCK35 &&
1974	errno(*__errno()) != ECONNABORTED53)
1975	error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1975 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "accept: %.100s", strerror ((__errno())));
1976	if (errno(__errno()) == EMFILE24 \|\| errno(__errno()) == ENFILE23)
1977	c->notbefore = monotime() + 1;
1978	return;
1979	}
1980	if (c->host_port != PORT_STREAMLOCAL-2)
1981	set_nodelay(newsock);
1982	nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1983	c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1984	nc->listening_port = c->listening_port;
1985	nc->host_port = c->host_port;
1986	if (c->path != NULL((void *)0))
1987	nc->path = xstrdup(c->path);
1988
1989	if (nextstate != SSH_CHANNEL_DYNAMIC13)
1990	port_open_helper(ssh, nc, rtype);
1991	}
1992
1993	/*
1994	* This is the authentication agent socket listening for connections from
1995	* clients.
1996	*/
1997	static void
1998	channel_post_auth_listener(struct ssh ssh, Channel c)
1999	{
2000	Channel *nc;
2001	int r, newsock;
2002	struct sockaddr_storage addr;
2003	socklen_t addrlen;
2004
2005	if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0)
2006	return;
2007
2008	addrlen = sizeof(addr);
2009	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
2010	if (newsock == -1) {
2011	error("accept from auth socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2011 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "accept from auth socket: %.100s" , strerror((__errno())));
2012	if (errno(__errno()) == EMFILE24 \|\| errno(__errno()) == ENFILE23)
2013	c->notbefore = monotime() + 1;
2014	return;
2015	}
2016	nc = channel_new(ssh, "agent-connection",
2017	SSH_CHANNEL_OPENING3, newsock, newsock, -1,
2018	c->local_window_max, c->local_maxpacket,
2019	0, "accepted auth socket", 1);
2020	open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
2021	if ((r = sshpkt_send(ssh)) != 0)
2022	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2022 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
2023	}
2024
2025	static void
2026	channel_post_connecting(struct ssh ssh, Channel c)
2027	{
2028	int err = 0, sock, isopen, r;
2029	socklen_t sz = sizeof(err);
2030
2031	if ((c->io_ready & SSH_CHAN_IO_SOCK_W0x20) == 0)
2032	return;
2033	if (!c->have_remote_id)
2034	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2034 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
2035	/* for rdynamic the OPEN_CONFIRMATION has been sent already */
2036	isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH22);
2037
2038	if (getsockopt(c->sock, SOL_SOCKET0xffff, SO_ERROR0x1007, &err, &sz) == -1) {
2039	err = errno(*__errno());
2040	error("getsockopt SO_ERROR failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2040 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getsockopt SO_ERROR failed" );
2041	}
2042
2043	if (err == 0) {
2044	/* Non-blocking connection completed */
2045	debug("channel %d: connected to %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2046 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port)
2046	c->self, c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2046 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port);
2047	channel_connect_ctx_free(&c->connect_ctx);
2048	c->type = SSH_CHANNEL_OPEN4;
2049	channel_set_used_time(ssh, c);
2050	if (isopen) {
2051	/* no message necessary */
2052	} else {
2053	if ((r = sshpkt_start(ssh,
2054	SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 \|\|
2055	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
2056	(r = sshpkt_put_u32(ssh, c->self)) != 0 \|\|
2057	(r = sshpkt_put_u32(ssh, c->local_window)) != 0 \|\|
2058	(r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 \|\|
2059	(r = sshpkt_send(ssh)) != 0)
2060	fatal_fr(r, "channel %i open confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2060 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i open confirm" , c->self);
2061	}
2062	return;
2063	}
2064	if (err == EINTR4 \|\| err == EAGAIN35 \|\| err == EINPROGRESS36)
2065	return;
2066
2067	/* Non-blocking connection failed */
2068	debug("channel %d: connection failed: %s", c->self, strerror(err))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2068 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connection failed: %s" , c->self, strerror(err));
2069
2070	/* Try next address, if any */
2071	if ((sock = connect_next(&c->connect_ctx)) == -1) {
2072	/* Exhausted all addresses for this destination */
2073	error("connect_to %.100s port %d: failed.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2074 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port)
2074	c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2074 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port);
2075	channel_connect_ctx_free(&c->connect_ctx);
2076	if (isopen) {
2077	rdynamic_close(ssh, c);
2078	} else {
2079	if ((r = sshpkt_start(ssh,
2080	SSH2_MSG_CHANNEL_OPEN_FAILURE92)) != 0 \|\|
2081	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
2082	(r = sshpkt_put_u32(ssh,
2083	SSH2_OPEN_CONNECT_FAILED2)) != 0 \|\|
2084	(r = sshpkt_put_cstring(ssh, strerror(err))) != 0 \|\|
2085	(r = sshpkt_put_cstring(ssh, "")) != 0 \|\|
2086	(r = sshpkt_send(ssh)) != 0)
2087	fatal_fr(r, "channel %i: failure", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2087 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: failure", c ->self);
2088	chan_mark_dead(ssh, c);
2089	}
2090	}
2091
2092	/* New non-blocking connection in progress */
2093	close(c->sock);
2094	c->sock = c->rfd = c->wfd = sock;
2095	}
2096
2097	static int
2098	channel_handle_rfd(struct ssh ssh, Channel c)
2099	{
2100	char buf[CHAN_RBUF(16*1024)];
2101	ssize_t len;
2102	int r;
2103	size_t nr = 0, have, avail, maxlen = CHANNEL_MAX_READ(32*1024);
2104
2105	if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0)
2106	return 1; /* Shouldn't happen */
2107	if ((avail = sshbuf_avail(c->input)) == 0)
2108	return 1; /* Shouldn't happen */
2109
2110	/*
2111	* For "simple" channels (i.e. not datagram or filtered), we can
2112	* read directly to the channel buffer.
2113	*/
2114	if (c->input_filter == NULL((void *)0) && !c->datagram) {
2115	/* Only OPEN channels have valid rwin */
2116	if (c->type == SSH_CHANNEL_OPEN4) {
2117	if ((have = sshbuf_len(c->input)) >= c->remote_window)
2118	return 1; /* shouldn't happen */
2119	if (maxlen > c->remote_window - have)
2120	maxlen = c->remote_window - have;
2121	}
2122	if (maxlen > avail)
2123	maxlen = avail;
2124	if ((r = sshbuf_read(c->rfd, c->input, maxlen, &nr)) != 0) {
2125	if (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35)
2126	return 1;
2127	debug2("channel %d: read failed rfd %d maxlen %zu: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2128 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read failed rfd %d maxlen %zu: %s" , c->self, c->rfd, maxlen, ssh_err(r))
2128	c->self, c->rfd, maxlen, ssh_err(r))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2128 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read failed rfd %d maxlen %zu: %s" , c->self, c->rfd, maxlen, ssh_err(r));
2129	goto rfail;
2130	}
2131	if (nr != 0)
2132	channel_set_used_time(ssh, c);
2133	return 1;
2134	}
2135
2136	len = read(c->rfd, buf, sizeof(buf));
2137	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2138	return 1;
2139	if (len <= 0) {
2140	debug2("channel %d: read<=0 rfd %d len %zd: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (__errno())))
2141	c->self, c->rfd, len,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (__errno())))
2142	len == 0 ? "closed" : strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (__errno())));
2143	rfail:
2144	if (c->type != SSH_CHANNEL_OPEN4) {
2145	debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2145 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self);
2146	chan_mark_dead(ssh, c);
2147	return -1;
2148	} else {
2149	chan_read_failed(ssh, c);
2150	}
2151	return -1;
2152	}
2153	channel_set_used_time(ssh, c);
2154	if (c->input_filter != NULL((void *)0)) {
2155	if (c->input_filter(ssh, c, buf, len) == -1) {
2156	debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2156 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self);
2157	chan_read_failed(ssh, c);
2158	}
2159	} else if (c->datagram) {
2160	if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
2161	fatal_fr(r, "channel %i: put datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2161 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: put datagram" , c->self);
2162	}
2163	return 1;
2164	}
2165
2166	static int
2167	channel_handle_wfd(struct ssh ssh, Channel c)
2168	{
2169	struct termios tio;
2170	u_char data = NULL((void )0), buf; / XXX const; need filter API change */
2171	size_t dlen, olen = 0;
2172	int r, len;
2173
2174	if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0)
2175	return 1;
2176	if (sshbuf_len(c->output) == 0)
2177	return 1;
2178
2179	/* Send buffered output data to the socket. */
2180	olen = sshbuf_len(c->output);
2181	if (c->output_filter != NULL((void *)0)) {
2182	if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL((void *)0)) {
2183	debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2183 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self);
2184	if (c->type != SSH_CHANNEL_OPEN4)
2185	chan_mark_dead(ssh, c);
2186	else
2187	chan_write_failed(ssh, c);
2188	return -1;
2189	}
2190	} else if (c->datagram) {
2191	if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
2192	fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2192 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self);
2193	buf = data;
2194	} else {
2195	buf = data = sshbuf_mutable_ptr(c->output);
2196	dlen = sshbuf_len(c->output);
2197	}
2198
2199	if (c->datagram) {
2200	/* ignore truncated writes, datagrams might get lost */
2201	len = write(c->wfd, buf, dlen);
2202	free(data);
2203	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2204	return 1;
2205	if (len <= 0)
2206	goto write_fail;
2207	goto out;
2208	}
2209
2210	len = write(c->wfd, buf, dlen);
2211	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2212	return 1;
2213	if (len <= 0) {
2214	write_fail:
2215	if (c->type != SSH_CHANNEL_OPEN4) {
2216	debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2216 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self);
2217	chan_mark_dead(ssh, c);
2218	return -1;
2219	} else {
2220	chan_write_failed(ssh, c);
2221	}
2222	return -1;
2223	}
2224	channel_set_used_time(ssh, c);
2225	if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2226	if (tcgetattr(c->wfd, &tio) == 0 &&
2227	!(tio.c_lflag & ECHO0x00000008) && (tio.c_lflag & ICANON0x00000100)) {
2228	/*
2229	* Simulate echo to reduce the impact of
2230	* traffic analysis. We need to match the
2231	* size of a SSH2_MSG_CHANNEL_DATA message
2232	* (4 byte channel id + buf)
2233	*/
2234	if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 \|\|
2235	(r = sshpkt_send(ssh)) != 0)
2236	fatal_fr(r, "channel %i: ignore", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2236 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: ignore", c-> self);
2237	}
2238	}
2239	if ((r = sshbuf_consume(c->output, len)) != 0)
2240	fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2240 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self);
2241	out:
2242	c->local_consumed += olen - sshbuf_len(c->output);
2243
2244	return 1;
2245	}
2246
2247	static int
2248	channel_handle_efd_write(struct ssh ssh, Channel c)
2249	{
2250	int r;
2251	ssize_t len;
2252
2253	if ((c->io_ready & SSH_CHAN_IO_EFD_W0x08) == 0)
2254	return 1;
2255	if (sshbuf_len(c->extended) == 0)
2256	return 1;
2257
2258	len = write(c->efd, sshbuf_ptr(c->extended),
2259	sshbuf_len(c->extended));
2260	debug2("channel %d: written %zd to efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2260 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: written %zd to efd %d" , c->self, len, c->efd);
2261	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2262	return 1;
2263	if (len <= 0) {
2264	debug2("channel %d: closing write-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2264 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing write-efd %d" , c->self, c->efd);
2265	channel_close_fd(ssh, c, &c->efd);
2266	} else {
2267	if ((r = sshbuf_consume(c->extended, len)) != 0)
2268	fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2268 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self);
2269	c->local_consumed += len;
2270	channel_set_used_time(ssh, c);
2271	}
2272	return 1;
2273	}
2274
2275	static int
2276	channel_handle_efd_read(struct ssh ssh, Channel c)
2277	{
2278	char buf[CHAN_RBUF(16*1024)];
2279	int r;
2280	ssize_t len;
2281
2282	if ((c->io_ready & SSH_CHAN_IO_EFD_R0x04) == 0)
2283	return 1;
2284
2285	len = read(c->efd, buf, sizeof(buf));
2286	debug2("channel %d: read %zd from efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2286 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read %zd from efd %d" , c->self, len, c->efd);
2287	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2288	return 1;
2289	if (len <= 0) {
2290	debug2("channel %d: closing read-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2290 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing read-efd %d" , c->self, c->efd);
2291	channel_close_fd(ssh, c, &c->efd);
2292	return 1;
2293	}
2294	channel_set_used_time(ssh, c);
2295	if (c->extended_usage == CHAN_EXTENDED_IGNORE0)
2296	debug3("channel %d: discard efd", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2296 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: discard efd" , c->self);
2297	else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
2298	fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2298 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self);
2299	return 1;
2300	}
2301
2302	static int
2303	channel_handle_efd(struct ssh ssh, Channel c)
2304	{
2305	if (c->efd == -1)
2306	return 1;
2307
2308	/** XXX handle drain efd, too */
2309
2310	if (c->extended_usage == CHAN_EXTENDED_WRITE2)
2311	return channel_handle_efd_write(ssh, c);
2312	else if (c->extended_usage == CHAN_EXTENDED_READ1 \|\|
2313	c->extended_usage == CHAN_EXTENDED_IGNORE0)
2314	return channel_handle_efd_read(ssh, c);
2315
2316	return 1;
2317	}
2318
2319	static int
2320	channel_check_window(struct ssh ssh, Channel c)
2321	{
2322	int r;
2323
2324	if (c->type == SSH_CHANNEL_OPEN4 &&
2325	!(c->flags & (CHAN_CLOSE_SENT0x01\|CHAN_CLOSE_RCVD0x02)) &&
2326	((c->local_window_max - c->local_window >
2327	c->local_maxpacket*3) \|\|
2328	c->local_window < c->local_window_max/2) &&
2329	c->local_consumed > 0) {
2330	if (!c->have_remote_id)
2331	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2331 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
2332	if ((r = sshpkt_start(ssh,
2333	SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 \|\|
2334	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
2335	(r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 \|\|
2336	(r = sshpkt_send(ssh)) != 0) {
2337	fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2337 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self );
2338	}
2339	debug2("channel %d: window %d sent adjust %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed)
2340	c->local_window, c->local_consumed)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed);
2341	c->local_window += c->local_consumed;
2342	c->local_consumed = 0;
2343	}
2344	return 1;
2345	}
2346
2347	static void
2348	channel_post_open(struct ssh ssh, Channel c)
2349	{
2350	channel_handle_rfd(ssh, c);
2351	channel_handle_wfd(ssh, c);
2352	channel_handle_efd(ssh, c);
2353	channel_check_window(ssh, c);
2354	}
2355
2356	static u_int
2357	read_mux(struct ssh ssh, Channel c, u_int need)
2358	{
2359	char buf[CHAN_RBUF(16*1024)];
2360	ssize_t len;
2361	u_int rlen;
2362	int r;
2363
2364	if (sshbuf_len(c->input) < need) {
2365	rlen = need - sshbuf_len(c->input);
2366	len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)(((rlen) < ((161024))) ? (rlen) : ((161024))));
2367	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2368	return sshbuf_len(c->input);
2369	if (len <= 0) {
2370	debug2("channel %d: ctl read<=0 rfd %d len %zd",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2371 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len)
2371	c->self, c->rfd, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2371 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len);
2372	chan_read_failed(ssh, c);
2373	return 0;
2374	} else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2375	fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2375 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self);
2376	}
2377	return sshbuf_len(c->input);
2378	}
2379
2380	static void
2381	channel_post_mux_client_read(struct ssh ssh, Channel c)
2382	{
2383	u_int need;
2384
2385	if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0)
2386	return;
2387	if (c->istate != CHAN_INPUT_OPEN0 && c->istate != CHAN_INPUT_WAIT_DRAIN1)
2388	return;
2389	if (c->mux_pause)
2390	return;
2391
2392	/*
2393	* Don't not read past the precise end of packets to
2394	* avoid disrupting fd passing.
2395	*/
2396	if (read_mux(ssh, c, 4) < 4) /* read header */
2397	return;
2398	/* XXX sshbuf_peek_u32 */
2399	need = PEEK_U32(sshbuf_ptr(c->input))(((u_int32_t)(((const u_char )(sshbuf_ptr(c->input)))[0]) << 24) \| ((u_int32_t)(((const u_char )(sshbuf_ptr(c-> input)))[1]) << 16) \| ((u_int32_t)(((const u_char )(sshbuf_ptr (c->input)))[2]) << 8) \| (u_int32_t)(((const u_char )(sshbuf_ptr(c->input)))[3]));
2400	#define CHANNEL_MUX_MAX_PACKET(256 * 1024) (256 * 1024)
2401	if (need > CHANNEL_MUX_MAX_PACKET(256 * 1024)) {
2402	debug2("channel %d: packet too big %u > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2403 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "channel %d: packet too big %u > %u" , c->self, (256 1024), need)
2403	c->self, CHANNEL_MUX_MAX_PACKET, need)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2403 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "channel %d: packet too big %u > %u" , c->self, (256 1024), need);
2404	chan_rcvd_oclose(ssh, c);
2405	return;
2406	}
2407	if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2408	return;
2409	if (c->mux_rcb(ssh, c) != 0) {
2410	debug("channel %d: mux_rcb failed", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2410 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: mux_rcb failed" , c->self);
2411	chan_mark_dead(ssh, c);
2412	return;
2413	}
2414	}
2415
2416	static void
2417	channel_post_mux_client_write(struct ssh ssh, Channel c)
2418	{
2419	ssize_t len;
2420	int r;
2421
2422	if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0)
2423	return;
2424	if (sshbuf_len(c->output) == 0)
2425	return;
2426
2427	len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
2428	if (len == -1 && (errno(__errno()) == EINTR4 \|\| errno(__errno()) == EAGAIN35))
2429	return;
2430	if (len <= 0) {
2431	chan_mark_dead(ssh, c);
2432	return;
2433	}
2434	if ((r = sshbuf_consume(c->output, len)) != 0)
2435	fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2435 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self);
2436	}
2437
2438	static void
2439	channel_post_mux_client(struct ssh ssh, Channel c)
2440	{
2441	channel_post_mux_client_read(ssh, c);
2442	channel_post_mux_client_write(ssh, c);
2443	}
2444
2445	static void
2446	channel_post_mux_listener(struct ssh ssh, Channel c)
2447	{
2448	Channel *nc;
2449	struct sockaddr_storage addr;
2450	socklen_t addrlen;
2451	int newsock;
2452	uid_t euid;
2453	gid_t egid;
2454
2455	if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0)
2456	return;
2457
2458	debug("multiplexing control connection")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2458 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "multiplexing control connection" );
2459
2460	/*
2461	* Accept connection on control socket
2462	*/
2463	memset(&addr, 0, sizeof(addr));
2464	addrlen = sizeof(addr);
2465	if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2466	&addrlen)) == -1) {
2467	error_f("accept: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2467 , 1, SYSLOG_LEVEL_ERROR, ((void )0), "accept: %s", strerror( (__errno())));
2468	if (errno(__errno()) == EMFILE24 \|\| errno(__errno()) == ENFILE23)
2469	c->notbefore = monotime() + 1;
2470	return;
2471	}
2472
2473	if (getpeereid(newsock, &euid, &egid) == -1) {
2474	error_f("getpeereid failed: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2474 , 1, SYSLOG_LEVEL_ERROR, ((void )0), "getpeereid failed: %s" , strerror((__errno())));
2475	close(newsock);
2476	return;
2477	}
2478	if ((euid != 0) && (getuid() != euid)) {
2479	error("multiplex uid mismatch: peer euid %u != uid %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2480 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid())
2480	(u_int)euid, (u_int)getuid())sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2480 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid());
2481	close(newsock);
2482	return;
2483	}
2484	nc = channel_new(ssh, "mux-control", SSH_CHANNEL_MUX_CLIENT16,
2485	newsock, newsock, -1, c->local_window_max,
2486	c->local_maxpacket, 0, "mux-control", 1);
2487	nc->mux_rcb = c->mux_rcb;
2488	debug3_f("new mux channel %d fd %d", nc->self, nc->sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2488 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "new mux channel %d fd %d" , nc->self, nc->sock);
2489	/* establish state */
2490	nc->mux_rcb(ssh, nc);
2491	/* mux state transitions must not elicit protocol messages */
2492	nc->flags \|= CHAN_LOCAL0x10;
2493	}
2494
2495	static void
2496	channel_handler_init(struct ssh_channels *sc)
2497	{
2498	chan_fn pre, post;
2499
2500	if ((pre = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(pre))) == NULL((void )0) \|\|
2501	(post = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(post))) == NULL((void )0))
2502	fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2502 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed");
2503
2504	pre[SSH_CHANNEL_OPEN4] = &channel_pre_open;
2505	pre[SSH_CHANNEL_X11_OPEN7] = &channel_pre_x11_open;
2506	pre[SSH_CHANNEL_PORT_LISTENER2] = &channel_pre_listener;
2507	pre[SSH_CHANNEL_RPORT_LISTENER11] = &channel_pre_listener;
2508	pre[SSH_CHANNEL_UNIX_LISTENER18] = &channel_pre_listener;
2509	pre[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_pre_listener;
2510	pre[SSH_CHANNEL_X11_LISTENER1] = &channel_pre_listener;
2511	pre[SSH_CHANNEL_AUTH_SOCKET6] = &channel_pre_listener;
2512	pre[SSH_CHANNEL_CONNECTING12] = &channel_pre_connecting;
2513	pre[SSH_CHANNEL_DYNAMIC13] = &channel_pre_dynamic;
2514	pre[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_pre_connecting;
2515	pre[SSH_CHANNEL_MUX_LISTENER15] = &channel_pre_listener;
2516	pre[SSH_CHANNEL_MUX_CLIENT16] = &channel_pre_mux_client;
2517
2518	post[SSH_CHANNEL_OPEN4] = &channel_post_open;
2519	post[SSH_CHANNEL_PORT_LISTENER2] = &channel_post_port_listener;
2520	post[SSH_CHANNEL_RPORT_LISTENER11] = &channel_post_port_listener;
2521	post[SSH_CHANNEL_UNIX_LISTENER18] = &channel_post_port_listener;
2522	post[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_post_port_listener;
2523	post[SSH_CHANNEL_X11_LISTENER1] = &channel_post_x11_listener;
2524	post[SSH_CHANNEL_AUTH_SOCKET6] = &channel_post_auth_listener;
2525	post[SSH_CHANNEL_CONNECTING12] = &channel_post_connecting;
2526	post[SSH_CHANNEL_DYNAMIC13] = &channel_post_open;
2527	post[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_post_connecting;
2528	post[SSH_CHANNEL_MUX_LISTENER15] = &channel_post_mux_listener;
2529	post[SSH_CHANNEL_MUX_CLIENT16] = &channel_post_mux_client;
2530
2531	sc->channel_pre = pre;
2532	sc->channel_post = post;
2533	}
2534
2535	/* gc dead channels */
2536	static void
2537	channel_garbage_collect(struct ssh ssh, Channel c)
2538	{
2539	if (c == NULL((void *)0))
2540	return;
2541	if (c->detach_user != NULL((void *)0)) {
2542	if (!chan_is_dead(ssh, c, c->detach_close))
2543	return;
2544
2545	debug2("channel %d: gc: notify user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2545 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: notify user" , c->self);
2546	c->detach_user(ssh, c->self, 0, NULL((void *)0));
2547	/* if we still have a callback */
2548	if (c->detach_user != NULL((void *)0))
2549	return;
2550	debug2("channel %d: gc: user detached", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2550 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: user detached" , c->self);
2551	}
2552	if (!chan_is_dead(ssh, c, 1))
2553	return;
2554	debug2("channel %d: garbage collecting", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2554 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: garbage collecting" , c->self);
2555	channel_free(ssh, c);
2556	}
2557
2558	enum channel_table { CHAN_PRE, CHAN_POST };
2559
2560	static void
2561	channel_handler(struct ssh ssh, int table, struct timespec timeout)
2562	{
2563	struct ssh_channels *sc = ssh->chanctxt;
2564	chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
2565	u_int i, oalloc;
2566	Channel *c;
2567	time_t now;
2568
2569	now = monotime();
2570	for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2571	c = sc->channels[i];
2572	if (c == NULL((void *)0))
2573	continue;
2574	/* Try to keep IO going while rekeying */
2575	if (ssh_packet_is_rekeying(ssh) && c->type != SSH_CHANNEL_OPEN4)
2576	continue;
2577	if (c->delayed) {
2578	if (table == CHAN_PRE)
2579	c->delayed = 0;
2580	else
2581	continue;
2582	}
2583	if (ftab[c->type] != NULL((void *)0)) {
2584	if (table == CHAN_PRE && c->type == SSH_CHANNEL_OPEN4 &&
2585	channel_get_expiry(ssh, c) != 0 &&
2586	now >= channel_get_expiry(ssh, c)) {
2587	/* channel closed for inactivity */
2588	verbose("channel %d: closing after %u seconds "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline)
2589	"of inactivity", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline)
2590	c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline);
2591	channel_force_close(ssh, c, 1);
2592	} else if (c->notbefore <= now) {
2593	/* Run handlers that are not paused. */
2594	(*ftab[c->type])(ssh, c);
2595	/* inactivity timeouts must interrupt poll() */
2596	if (timeout != NULL((void *)0) &&
2597	c->type == SSH_CHANNEL_OPEN4 &&
2598	channel_get_expiry(ssh, c) != 0) {
2599	ptimeout_deadline_monotime(timeout,
2600	channel_get_expiry(ssh, c));
2601	}
2602	} else if (timeout != NULL((void *)0)) {
2603	/*
2604	* Arrange for poll() wakeup when channel pause
2605	* timer expires.
2606	*/
2607	ptimeout_deadline_monotime(timeout,
2608	c->notbefore);
2609	}
2610	}
2611	channel_garbage_collect(ssh, c);
2612	}
2613	}
2614
2615	/*
2616	* Create sockets before preparing IO.
2617	* This is necessary for things that need to happen after reading
2618	* the network-input but need to be completed before IO event setup, e.g.
2619	* because they may create new channels.
2620	*/
2621	static void
2622	channel_before_prepare_io(struct ssh *ssh)
2623	{
2624	struct ssh_channels *sc = ssh->chanctxt;
2625	Channel *c;
2626	u_int i, oalloc;
2627
2628	for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2629	c = sc->channels[i];
2630	if (c == NULL((void *)0))
2631	continue;
2632	if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN21)
2633	channel_before_prepare_io_rdynamic(ssh, c);
2634	}
2635	}
2636
2637	static void
2638	dump_channel_poll(const char func, const char what, Channel *c,
2639	u_int pollfd_offset, struct pollfd *pfd)
2640	{
2641	#ifdef DEBUG_CHANNEL_POLL
2642	debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2643	"io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2644	"pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2645	c->rfd, c->wfd, c->efd, c->sock,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2646	c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2647	c->io_want, c->io_ready,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents)
2648	pollfd_offset, pfd->fd, pfd->events, pfd->revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents);
2649	#endif
2650	}
2651
2652	/* Prepare pollfd entries for a single channel */
2653	static void
2654	channel_prepare_pollfd(Channel c, u_int next_pollfd,
2655	struct pollfd *pfd, u_int npfd)
2656	{
2657	u_int ev, p = *next_pollfd;
2658
2659	if (c == NULL((void *)0))
2660	return;
2661	if (p + 4 > npfd) {
2662	/* Shouldn't happen */
2663	fatal_f("channel %d: bad pfd offset %u (max %u)",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd)
2664	c->self, p, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd);
2665	}
2666	c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1;
2667	/*
2668	* prepare c->rfd
2669	*
2670	* This is a special case, since c->rfd might be the same as
2671	* c->wfd, c->efd and/or c->sock. Handle those here if they want
2672	* IO too.
2673	*/
2674	if (c->rfd != -1) {
2675	ev = 0;
2676	if ((c->io_want & SSH_CHAN_IO_RFD0x01) != 0)
2677	ev \|= POLLIN0x0001;
2678	/* rfd == wfd */
2679	if (c->wfd == c->rfd) {
2680	if ((c->io_want & SSH_CHAN_IO_WFD0x02) != 0)
2681	ev \|= POLLOUT0x0004;
2682	}
2683	/* rfd == efd */
2684	if (c->efd == c->rfd) {
2685	if ((c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0)
2686	ev \|= POLLIN0x0001;
2687	if ((c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0)
2688	ev \|= POLLOUT0x0004;
2689	}
2690	/* rfd == sock */
2691	if (c->sock == c->rfd) {
2692	if ((c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0)
2693	ev \|= POLLIN0x0001;
2694	if ((c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0)
2695	ev \|= POLLOUT0x0004;
2696	}
2697	/* Pack a pfd entry if any event armed for this fd */
2698	if (ev != 0) {
2699	c->pfds[0] = p;
2700	pfd[p].fd = c->rfd;
2701	pfd[p].events = ev;
2702	dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
2703	p++;
2704	}
2705	}
2706	/* prepare c->wfd if wanting IO and not already handled above */
2707	if (c->wfd != -1 && c->rfd != c->wfd) {
2708	ev = 0;
2709	if ((c->io_want & SSH_CHAN_IO_WFD0x02))
2710	ev \|= POLLOUT0x0004;
2711	/* Pack a pfd entry if any event armed for this fd */
2712	if (ev != 0) {
2713	c->pfds[1] = p;
2714	pfd[p].fd = c->wfd;
2715	pfd[p].events = ev;
2716	dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
2717	p++;
2718	}
2719	}
2720	/* prepare c->efd if wanting IO and not already handled above */
2721	if (c->efd != -1 && c->rfd != c->efd) {
2722	ev = 0;
2723	if ((c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0)
2724	ev \|= POLLIN0x0001;
2725	if ((c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0)
2726	ev \|= POLLOUT0x0004;
2727	/* Pack a pfd entry if any event armed for this fd */
2728	if (ev != 0) {
2729	c->pfds[2] = p;
2730	pfd[p].fd = c->efd;
2731	pfd[p].events = ev;
2732	dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
2733	p++;
2734	}
2735	}
2736	/* prepare c->sock if wanting IO and not already handled above */
2737	if (c->sock != -1 && c->rfd != c->sock) {
2738	ev = 0;
2739	if ((c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0)
2740	ev \|= POLLIN0x0001;
2741	if ((c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0)
2742	ev \|= POLLOUT0x0004;
2743	/* Pack a pfd entry if any event armed for this fd */
2744	if (ev != 0) {
2745	c->pfds[3] = p;
2746	pfd[p].fd = c->sock;
2747	pfd[p].events = 0;
2748	dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
2749	p++;
2750	}
2751	}
2752	*next_pollfd = p;
2753	}
2754
2755	/* * Allocate/prepare poll structure */
2756	void
2757	channel_prepare_poll(struct ssh ssh, struct pollfd pfdp, u_int npfd_allocp,
2758	u_int npfd_activep, u_int npfd_reserved, struct timespec timeout)
2759	{
2760	struct ssh_channels *sc = ssh->chanctxt;
2761	u_int i, oalloc, p, npfd = npfd_reserved;
2762
2763	channel_before_prepare_io(ssh); /* might create a new channel */
2764	/* clear out I/O flags from last poll */
2765	for (i = 0; i < sc->channels_alloc; i++) {
2766	if (sc->channels[i] == NULL((void *)0))
2767	continue;
2768	sc->channels[i]->io_want = sc->channels[i]->io_ready = 0;
2769	}
2770	/* Allocate 4x pollfd for each channel (rfd, wfd, efd, sock) */
2771	if (sc->channels_alloc >= (INT_MAX0x7fffffff / 4) - npfd_reserved)
2772	fatal_f("too many channels")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2772 , 1, SYSLOG_LEVEL_FATAL, ((void )0), "too many channels"); / shouldn't happen */
2773	npfd += sc->channels_alloc * 4;
2774	if (npfd > *npfd_allocp) {
2775	pfdp = xrecallocarray(pfdp, *npfd_allocp,
2776	npfd, sizeof(**pfdp));
2777	*npfd_allocp = npfd;
2778	}
2779	*npfd_activep = npfd_reserved;
2780	oalloc = sc->channels_alloc;
2781
2782	channel_handler(ssh, CHAN_PRE, timeout);
2783
2784	if (oalloc != sc->channels_alloc) {
2785	/* shouldn't happen */
2786	fatal_f("channels_alloc changed during CHAN_PRE "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2787 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc)
2787	"(was %u, now %u)", oalloc, sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2787 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc);
2788	}
2789
2790	/* Prepare pollfd */
2791	p = npfd_reserved;
2792	for (i = 0; i < sc->channels_alloc; i++)
2793	channel_prepare_pollfd(sc->channels[i], &p, *pfdp, npfd);
2794	*npfd_activep = p;
2795	}
2796
2797	static void
2798	fd_ready(Channel c, int p, struct pollfd pfds, u_int npfd, int fd,
2799	const char *what, u_int revents_mask, u_int ready)
2800	{
2801	struct pollfd *pfd = &pfds[p];
2802
2803	if (fd == -1)
2804	return;
2805	if (p == -1 \|\| (u_int)p >= npfd)
2806	fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2806 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd %d (max %u)" , c->self, p, npfd);
2807	dump_channel_poll(__func__, what, c, p, pfd);
2808	if (pfd->fd != fd) {
2809	fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock)
2810	"r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd,sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock)
2811	c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock);
2812	}
2813	if ((pfd->revents & POLLNVAL0x0020) != 0) {
2814	fatal("channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2815 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock)
2815	c->self, what, p, pfd->fd, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2815 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock);
2816	}
2817	if ((pfd->revents & (revents_mask\|POLLHUP0x0010\|POLLERR0x0008)) != 0)
2818	c->io_ready \|= ready & c->io_want;
2819	}
2820
2821	/*
2822	* After poll, perform any appropriate operations for channels which have
2823	* events pending.
2824	*/
2825	void
2826	channel_after_poll(struct ssh ssh, struct pollfd pfd, u_int npfd)
2827	{
2828	struct ssh_channels *sc = ssh->chanctxt;
2829	u_int i;
2830	int p;
2831	Channel *c;
2832
2833	#ifdef DEBUG_CHANNEL_POLL
2834	for (p = 0; p < (int)npfd; p++) {
2835	if (pfd[p].revents == 0)
2836	continue;
2837	debug_f("pfd[%u].fd %d rev 0x%04x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2838 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents)
2838	p, pfd[p].fd, pfd[p].revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2838 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents);
2839	}
2840	#endif
2841
2842	/* Convert pollfd into c->io_ready */
2843	for (i = 0; i < sc->channels_alloc; i++) {
2844	c = sc->channels[i];
2845	if (c == NULL((void *)0))
2846	continue;
2847	/* if rfd is shared with efd/sock then wfd should be too */
2848	if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd &&
2849	(c->rfd == c->efd \|\| c->rfd == c->sock)) {
2850	/* Shouldn't happen */
2851	fatal_f("channel %d: unexpected fds r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2852 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock)
2852	c->self, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2852 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock);
2853	}
2854	c->io_ready = 0;
2855	/* rfd, potentially shared with wfd, efd and sock */
2856	if (c->rfd != -1 && (p = c->pfds[0]) != -1) {
2857	fd_ready(c, p, pfd, npfd, c->rfd,
2858	"rfd", POLLIN0x0001, SSH_CHAN_IO_RFD0x01);
2859	if (c->rfd == c->wfd) {
2860	fd_ready(c, p, pfd, npfd, c->wfd,
2861	"wfd/r", POLLOUT0x0004, SSH_CHAN_IO_WFD0x02);
2862	}
2863	if (c->rfd == c->efd) {
2864	fd_ready(c, p, pfd, npfd, c->efd,
2865	"efdr/r", POLLIN0x0001, SSH_CHAN_IO_EFD_R0x04);
2866	fd_ready(c, p, pfd, npfd, c->efd,
2867	"efdw/r", POLLOUT0x0004, SSH_CHAN_IO_EFD_W0x08);
2868	}
2869	if (c->rfd == c->sock) {
2870	fd_ready(c, p, pfd, npfd, c->sock,
2871	"sockr/r", POLLIN0x0001, SSH_CHAN_IO_SOCK_R0x10);
2872	fd_ready(c, p, pfd, npfd, c->sock,
2873	"sockw/r", POLLOUT0x0004, SSH_CHAN_IO_SOCK_W0x20);
2874	}
2875	dump_channel_poll(__func__, "rfd", c, p, pfd);
2876	}
2877	/* wfd */
2878	if (c->wfd != -1 && c->wfd != c->rfd &&
2879	(p = c->pfds[1]) != -1) {
2880	fd_ready(c, p, pfd, npfd, c->wfd,
2881	"wfd", POLLOUT0x0004, SSH_CHAN_IO_WFD0x02);
2882	dump_channel_poll(__func__, "wfd", c, p, pfd);
2883	}
2884	/* efd */
2885	if (c->efd != -1 && c->efd != c->rfd &&
2886	(p = c->pfds[2]) != -1) {
2887	fd_ready(c, p, pfd, npfd, c->efd,
2888	"efdr", POLLIN0x0001, SSH_CHAN_IO_EFD_R0x04);
2889	fd_ready(c, p, pfd, npfd, c->efd,
2890	"efdw", POLLOUT0x0004, SSH_CHAN_IO_EFD_W0x08);
2891	dump_channel_poll(__func__, "efd", c, p, pfd);
2892	}
2893	/* sock */
2894	if (c->sock != -1 && c->sock != c->rfd &&
2895	(p = c->pfds[3]) != -1) {
2896	fd_ready(c, p, pfd, npfd, c->sock,
2897	"sockr", POLLIN0x0001, SSH_CHAN_IO_SOCK_R0x10);
2898	fd_ready(c, p, pfd, npfd, c->sock,
2899	"sockw", POLLOUT0x0004, SSH_CHAN_IO_SOCK_W0x20);
2900	dump_channel_poll(__func__, "sock", c, p, pfd);
2901	}
2902	}
2903	channel_handler(ssh, CHAN_POST, NULL((void *)0));
2904	}
2905
2906	/*
2907	* Enqueue data for channels with open or draining c->input.
2908	* Returns non-zero if a packet was enqueued.
2909	*/
2910	static int
2911	channel_output_poll_input_open(struct ssh ssh, Channel c)
2912	{
2913	size_t len, plen;
2914	const u_char *pkt;
2915	int r;
2916
2917	if ((len = sshbuf_len(c->input)) == 0) {
2918	if (c->istate == CHAN_INPUT_WAIT_DRAIN1) {
2919	/*
2920	* input-buffer is empty and read-socket shutdown:
2921	* tell peer, that we will not send more data:
2922	* send IEOF.
2923	* hack for extended data: delay EOF if EFD still
2924	* in use.
2925	*/
2926	if (CHANNEL_EFD_INPUT_ACTIVE(c)(c->extended_usage == 1 && (c->efd != -1 \|\| sshbuf_len (c->extended) > 0)))
2927	debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended))
2928	"ibuf_empty delayed efd %d/(%zu)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended))
2929	c->self, c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended));
2930	else
2931	chan_ibuf_empty(ssh, c);
2932	}
2933	return 0;
2934	}
2935
2936	if (!c->have_remote_id)
2937	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2937 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
2938
2939	if (c->datagram) {
2940	/* Check datagram will fit; drop if not */
2941	if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2942	fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2942 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self);
2943	/*
2944	* XXX this does tail-drop on the datagram queue which is
2945	* usually suboptimal compared to head-drop. Better to have
2946	* backpressure at read time? (i.e. read + discard)
2947	*/
2948	if (plen > c->remote_window \|\| plen > c->remote_maxpacket) {
2949	debug("channel %d: datagram too big", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2949 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: datagram too big" , c->self);
2950	return 0;
2951	}
2952	/* Enqueue it */
2953	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 \|\|
2954	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
2955	(r = sshpkt_put_string(ssh, pkt, plen)) != 0 \|\|
2956	(r = sshpkt_send(ssh)) != 0)
2957	fatal_fr(r, "channel %i: send datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2957 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send datagram" , c->self);
2958	c->remote_window -= plen;
2959	return 1;
2960	}
2961
2962	/* Enqueue packet for buffered data. */
2963	if (len > c->remote_window)
2964	len = c->remote_window;
2965	if (len > c->remote_maxpacket)
2966	len = c->remote_maxpacket;
2967	if (len == 0)
2968	return 0;
2969	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 \|\|
2970	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
2971	(r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 \|\|
2972	(r = sshpkt_send(ssh)) != 0)
2973	fatal_fr(r, "channel %i: send data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2973 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send data", c->self);
2974	if ((r = sshbuf_consume(c->input, len)) != 0)
2975	fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2975 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self);
2976	c->remote_window -= len;
2977	return 1;
2978	}
2979
2980	/*
2981	* Enqueue data for channels with open c->extended in read mode.
2982	* Returns non-zero if a packet was enqueued.
2983	*/
2984	static int
2985	channel_output_poll_extended_read(struct ssh ssh, Channel c)
2986	{
2987	size_t len;
2988	int r;
2989
2990	if ((len = sshbuf_len(c->extended)) == 0)
2991	return 0;
2992
2993	debug2("channel %d: rwin %u elen %zu euse %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2994 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage)
2994	c->remote_window, sshbuf_len(c->extended), c->extended_usage)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2994 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage);
2995	if (len > c->remote_window)
2996	len = c->remote_window;
2997	if (len > c->remote_maxpacket)
2998	len = c->remote_maxpacket;
2999	if (len == 0)
3000	return 0;
3001	if (!c->have_remote_id)
3002	fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3002 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self);
3003	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA95)) != 0 \|\|
3004	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
3005	(r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR1)) != 0 \|\|
3006	(r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 \|\|
3007	(r = sshpkt_send(ssh)) != 0)
3008	fatal_fr(r, "channel %i: data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3008 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: data", c-> self);
3009	if ((r = sshbuf_consume(c->extended, len)) != 0)
3010	fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3010 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self);
3011	c->remote_window -= len;
3012	debug2("channel %d: sent ext data %zu", c->self, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3012 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: sent ext data %zu" , c->self, len);
3013	return 1;
3014	}
3015
3016	/*
3017	* If there is data to send to the connection, enqueue some of it now.
3018	* Returns non-zero if data was enqueued.
3019	*/
3020	int
3021	channel_output_poll(struct ssh *ssh)
3022	{
3023	struct ssh_channels *sc = ssh->chanctxt;
3024	Channel *c;
3025	u_int i;
3026	int ret = 0;
3027
3028	for (i = 0; i < sc->channels_alloc; i++) {
3029	c = sc->channels[i];
3030	if (c == NULL((void *)0))
3031	continue;
3032
3033	/*
3034	* We are only interested in channels that can have buffered
3035	* incoming data.
3036	*/
3037	if (c->type != SSH_CHANNEL_OPEN4)
3038	continue;
3039	if ((c->flags & (CHAN_CLOSE_SENT0x01\|CHAN_CLOSE_RCVD0x02))) {
3040	/* XXX is this true? */
3041	debug3("channel %d: will not send data after close",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3042 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self)
3042	c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3042 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self);
3043	continue;
3044	}
3045
3046	/* Get the amount of buffered data for this channel. */
3047	if (c->istate == CHAN_INPUT_OPEN0 \|\|
3048	c->istate == CHAN_INPUT_WAIT_DRAIN1)
3049	ret \|= channel_output_poll_input_open(ssh, c);
3050	/* Send extended data, i.e. stderr */
3051	if (!(c->flags & CHAN_EOF_SENT0x04) &&
3052	c->extended_usage == CHAN_EXTENDED_READ1)
3053	ret \|= channel_output_poll_extended_read(ssh, c);
3054	}
3055	return ret;
3056	}
3057
3058	/* -- mux proxy support */
3059
3060	/*
3061	* When multiplexing channel messages for mux clients we have to deal
3062	* with downstream messages from the mux client and upstream messages
3063	* from the ssh server:
3064	* 1) Handling downstream messages is straightforward and happens
3065	* in channel_proxy_downstream():
3066	* - We forward all messages (mostly) unmodified to the server.
3067	* - However, in order to route messages from upstream to the correct
3068	* downstream client, we have to replace the channel IDs used by the
3069	* mux clients with a unique channel ID because the mux clients might
3070	* use conflicting channel IDs.
3071	* - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
3072	* SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
3073	* SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
3074	* with the newly allocated channel ID.
3075	* 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
3076	* channels and processed by channel_proxy_upstream(). The local channel ID
3077	* is then translated back to the original mux client ID.
3078	* 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
3079	* messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
3080	* 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
3081	* downstream mux client are removed.
3082	* 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
3083	* requires more work, because they are not addressed to a specific
3084	* channel. E.g. client_request_forwarded_tcpip() needs to figure
3085	* out whether the request is addressed to the local client or a
3086	* specific downstream client based on the listen-address/port.
3087	* 6) Agent and X11-Forwarding have a similar problem and are currently
3088	* not supported as the matching session/channel cannot be identified
3089	* easily.
3090	*/
3091
3092	/*
3093	* receive packets from downstream mux clients:
3094	* channel callback fired on read from mux client, creates
3095	* SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
3096	* on channel creation.
3097	*/
3098	int
3099	channel_proxy_downstream(struct ssh ssh, Channel downstream)
3100	{
3101	Channel c = NULL((void )0);
3102	struct sshbuf original = NULL((void )0), modified = NULL((void )0);
3103	const u_char *cp;
3104	char ctype = NULL((void )0), listen_host = NULL((void )0);
3105	u_char type;
3106	size_t have;
3107	int ret = -1, r;
3108	u_int id, remote_id, listen_port;
3109
3110	/* sshbuf_dump(downstream->input, stderr); */
3111	if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
3112	!= 0) {
3113	error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3113 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse");
3114	return -1;
3115	}
3116	if (have < 2) {
3117	error_f("short message")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3117 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "short message");
3118	return -1;
3119	}
3120	type = cp[1];
3121	/* skip padlen + type */
3122	cp += 2;
3123	have -= 2;
3124	if (ssh_packet_log_type(type))
3125	debug3_f("channel %u: down->up: type %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3126 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type)
3126	downstream->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3126 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type);
3127
3128	switch (type) {
3129	case SSH2_MSG_CHANNEL_OPEN90:
3130	if ((original = sshbuf_from(cp, have)) == NULL((void *)0) \|\|
3131	(modified = sshbuf_new()) == NULL((void *)0)) {
3132	error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3132 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc");
3133	goto out;
3134	}
3135	if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0 \|\|
3136	(r = sshbuf_get_u32(original, &id)) != 0) {
3137	error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3137 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse");
3138	goto out;
3139	}
3140	c = channel_new(ssh, "mux-proxy", SSH_CHANNEL_MUX_PROXY20,
3141	-1, -1, -1, 0, 0, 0, ctype, 1);
3142	c->mux_ctx = downstream; /* point to mux client */
3143	c->mux_downstream_id = id; /* original downstream id */
3144	if ((r = sshbuf_put_cstring(modified, ctype)) != 0 \|\|
3145	(r = sshbuf_put_u32(modified, c->self)) != 0 \|\|
3146	(r = sshbuf_putb(modified, original)) != 0) {
3147	error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3147 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose");
3148	channel_free(ssh, c);
3149	goto out;
3150	}
3151	break;
3152	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91:
3153	/*
3154	* Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
3155	* need to parse 'remote_id' instead of 'ctype'.
3156	*/
3157	if ((original = sshbuf_from(cp, have)) == NULL((void *)0) \|\|
3158	(modified = sshbuf_new()) == NULL((void *)0)) {
3159	error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3159 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc");
3160	goto out;
3161	}
3162	if ((r = sshbuf_get_u32(original, &remote_id)) != 0 \|\|
3163	(r = sshbuf_get_u32(original, &id)) != 0) {
3164	error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3164 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse");
3165	goto out;
3166	}
3167	c = channel_new(ssh, "mux-proxy", SSH_CHANNEL_MUX_PROXY20,
3168	-1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
3169	c->mux_ctx = downstream; /* point to mux client */
3170	c->mux_downstream_id = id;
3171	c->remote_id = remote_id;
3172	c->have_remote_id = 1;
3173	if ((r = sshbuf_put_u32(modified, remote_id)) != 0 \|\|
3174	(r = sshbuf_put_u32(modified, c->self)) != 0 \|\|
3175	(r = sshbuf_putb(modified, original)) != 0) {
3176	error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3176 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose");
3177	channel_free(ssh, c);
3178	goto out;
3179	}
3180	break;
3181	case SSH2_MSG_GLOBAL_REQUEST80:
3182	if ((original = sshbuf_from(cp, have)) == NULL((void *)0)) {
3183	error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3183 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc");
3184	goto out;
3185	}
3186	if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0) {
3187	error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3187 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse");
3188	goto out;
3189	}
3190	if (strcmp(ctype, "tcpip-forward") != 0) {
3191	error_f("unsupported request %s", ctype)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3191 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unsupported request %s" , ctype);
3192	goto out;
3193	}
3194	if ((r = sshbuf_get_u8(original, NULL((void *)0))) != 0 \|\|
3195	(r = sshbuf_get_cstring(original, &listen_host, NULL((void *)0))) != 0 \|\|
3196	(r = sshbuf_get_u32(original, &listen_port)) != 0) {
3197	error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3197 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse");
3198	goto out;
3199	}
3200	if (listen_port > 65535) {
3201	error_f("tcpip-forward for %s: bad port %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3202 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port)
3202	listen_host, listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3202 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port);
3203	goto out;
3204	}
3205	/* Record that connection to this host/port is permitted. */
3206	permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1), "<mux>", -1,
3207	listen_host, NULL((void *)0), (int)listen_port, downstream);
3208	listen_host = NULL((void *)0);
3209	break;
3210	case SSH2_MSG_CHANNEL_CLOSE97:
3211	if (have < 4)
3212	break;
3213	remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char )(cp))[0]) << 24) \| ((u_int32_t )(((const u_char )(cp))[1]) << 16) \| ((u_int32_t)(((const u_char )(cp))[2]) << 8) \| (u_int32_t)(((const u_char )(cp))[3]));
3214	if ((c = channel_by_remote_id(ssh, remote_id)) != NULL((void *)0)) {
3215	if (c->flags & CHAN_CLOSE_RCVD0x02)
3216	channel_free(ssh, c);
3217	else
3218	c->flags \|= CHAN_CLOSE_SENT0x01;
3219	}
3220	break;
3221	}
3222	if (modified) {
3223	if ((r = sshpkt_start(ssh, type)) != 0 \|\|
3224	(r = sshpkt_putb(ssh, modified)) != 0 \|\|
3225	(r = sshpkt_send(ssh)) != 0) {
3226	error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3226 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send");
3227	goto out;
3228	}
3229	} else {
3230	if ((r = sshpkt_start(ssh, type)) != 0 \|\|
3231	(r = sshpkt_put(ssh, cp, have)) != 0 \|\|
3232	(r = sshpkt_send(ssh)) != 0) {
3233	error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3233 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send");
3234	goto out;
3235	}
3236	}
3237	ret = 0;
3238	out:
3239	free(ctype);
3240	free(listen_host);
3241	sshbuf_free(original);
3242	sshbuf_free(modified);
3243	return ret;
3244	}
3245
3246	/*
3247	* receive packets from upstream server and de-multiplex packets
3248	* to correct downstream:
3249	* implemented as a helper for channel input handlers,
3250	* replaces local (proxy) channel ID with downstream channel ID.
3251	*/
3252	int
3253	channel_proxy_upstream(Channel c, int type, u_int32_t seq, struct ssh ssh)
3254	{
3255	struct sshbuf b = NULL((void )0);
3256	Channel *downstream;
3257	const u_char cp = NULL((void )0);
3258	size_t len;
3259	int r;
3260
3261	/*
3262	* When receiving packets from the peer we need to check whether we
3263	* need to forward the packets to the mux client. In this case we
3264	* restore the original channel id and keep track of CLOSE messages,
3265	* so we can cleanup the channel.
3266	*/
3267	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_MUX_PROXY20)
3268	return 0;
3269	if ((downstream = c->mux_ctx) == NULL((void *)0))
3270	return 0;
3271	switch (type) {
3272	case SSH2_MSG_CHANNEL_CLOSE97:
3273	case SSH2_MSG_CHANNEL_DATA94:
3274	case SSH2_MSG_CHANNEL_EOF96:
3275	case SSH2_MSG_CHANNEL_EXTENDED_DATA95:
3276	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91:
3277	case SSH2_MSG_CHANNEL_OPEN_FAILURE92:
3278	case SSH2_MSG_CHANNEL_WINDOW_ADJUST93:
3279	case SSH2_MSG_CHANNEL_SUCCESS99:
3280	case SSH2_MSG_CHANNEL_FAILURE100:
3281	case SSH2_MSG_CHANNEL_REQUEST98:
3282	break;
3283	default:
3284	debug2_f("channel %u: unsupported type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3284 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %u: unsupported type %u" , c->self, type);
3285	return 0;
3286	}
3287	if ((b = sshbuf_new()) == NULL((void *)0)) {
3288	error_f("alloc reply")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3288 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc reply");
3289	goto out;
3290	}
3291	/* get remaining payload (after id) */
3292	cp = sshpkt_ptr(ssh, &len);
3293	if (cp == NULL((void *)0)) {
3294	error_f("no packet")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3294 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no packet");
3295	goto out;
3296	}
3297	/* translate id and send to muxclient */
3298	if ((r = sshbuf_put_u8(b, 0)) != 0 \|\| /* padlen */
3299	(r = sshbuf_put_u8(b, type)) != 0 \|\|
3300	(r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 \|\|
3301	(r = sshbuf_put(b, cp, len)) != 0 \|\|
3302	(r = sshbuf_put_stringb(downstream->output, b)) != 0) {
3303	error_fr(r, "compose muxclient")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3303 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose muxclient");
3304	goto out;
3305	}
3306	/* sshbuf_dump(b, stderr); */
3307	if (ssh_packet_log_type(type))
3308	debug3_f("channel %u: up->down: type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3308 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: up->down: type %u" , c->self, type);
3309	out:
3310	/* update state */
3311	switch (type) {
3312	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91:
3313	/* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
3314	if (cp && len > 4) {
3315	c->remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char )(cp))[0]) << 24) \| ((u_int32_t )(((const u_char )(cp))[1]) << 16) \| ((u_int32_t)(((const u_char )(cp))[2]) << 8) \| (u_int32_t)(((const u_char )(cp))[3]));
3316	c->have_remote_id = 1;
3317	}
3318	break;
3319	case SSH2_MSG_CHANNEL_CLOSE97:
3320	if (c->flags & CHAN_CLOSE_SENT0x01)
3321	channel_free(ssh, c);
3322	else
3323	c->flags \|= CHAN_CLOSE_RCVD0x02;
3324	break;
3325	}
3326	sshbuf_free(b);
3327	return 1;
3328	}
3329
3330	/* -- protocol input */
3331
3332	/* Parse a channel ID from the current packet */
3333	static int
3334	channel_parse_id(struct ssh ssh, const char where, const char *what)
3335	{
3336	u_int32_t id;
3337	int r;
3338
3339	if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
3340	error_r(r, "%s: parse id", where)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3340 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: parse id", where);
3341	ssh_packet_disconnect(ssh, "Invalid %s message", what);
3342	}
3343	if (id > INT_MAX0x7fffffff) {
3344	error_r(r, "%s: bad channel id %u", where, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3344 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: bad channel id %u", where, id);
3345	ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
3346	}
3347	return (int)id;
3348	}
3349
3350	/* Lookup a channel from an ID in the current packet */
3351	static Channel *
3352	channel_from_packet_id(struct ssh ssh, const char where, const char *what)
3353	{
3354	int id = channel_parse_id(ssh, where, what);
3355	Channel *c;
3356
3357	if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) {
3358	ssh_packet_disconnect(ssh,
3359	"%s packet referred to nonexistent channel %d", what, id);
3360	}
3361	return c;
3362	}
3363
3364	int
3365	channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
3366	{
3367	const u_char *data;
3368	size_t data_len, win_len;
3369	Channel *c = channel_from_packet_id(ssh, __func__, "data");
3370	int r;
3371
3372	if (channel_proxy_upstream(c, type, seq, ssh))
3373	return 0;
3374
3375	/* Ignore any data for non-open channels (might happen on close) */
3376	if (c->type != SSH_CHANNEL_OPEN4 &&
3377	c->type != SSH_CHANNEL_RDYNAMIC_OPEN21 &&
3378	c->type != SSH_CHANNEL_RDYNAMIC_FINISH22 &&
3379	c->type != SSH_CHANNEL_X11_OPEN7)
3380	return 0;
3381
3382	/* Get the data. */
3383	if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 \|\|
3384	(r = sshpkt_get_end(ssh)) != 0)
3385	fatal_fr(r, "channel %i: get data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3385 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get data", c ->self);
3386
3387	win_len = data_len;
3388	if (c->datagram)
3389	win_len += 4; /* string length header */
3390
3391	/*
3392	* The sending side reduces its window as it sends data, so we
3393	* must 'fake' consumption of the data in order to ensure that window
3394	* updates are sent back. Otherwise the connection might deadlock.
3395	*/
3396	if (c->ostate != CHAN_OUTPUT_OPEN0) {
3397	c->local_window -= win_len;
3398	c->local_consumed += win_len;
3399	return 0;
3400	}
3401
3402	if (win_len > c->local_maxpacket) {
3403	logit("channel %d: rcvd big packet %zu, maxpack %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3404 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket)
3404	c->self, win_len, c->local_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3404 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket);
3405	return 0;
3406	}
3407	if (win_len > c->local_window) {
3408	c->local_window_exceeded += win_len - c->local_window;
3409	logit("channel %d: rcvd too much data %zu, win %u/%u "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded)
3410	"(excess %u)", c->self, win_len, c->local_window,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded)
3411	c->local_window_max, c->local_window_exceeded)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded);
3412	c->local_window = 0;
3413	/* Allow 10% grace before bringing the hammer down */
3414	if (c->local_window_exceeded > (c->local_window_max / 10)) {
3415	ssh_packet_disconnect(ssh, "channel %d: peer ignored "
3416	"channel window", c->self);
3417	}
3418	} else {
3419	c->local_window -= win_len;
3420	c->local_window_exceeded = 0;
3421	}
3422
3423	if (c->datagram) {
3424	if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
3425	fatal_fr(r, "channel %i: append datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3425 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append datagram" , c->self);
3426	} else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3427	fatal_fr(r, "channel %i: append data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3427 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append data" , c->self);
3428
3429	return 0;
3430	}
3431
3432	int
3433	channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
3434	{
3435	const u_char *data;
3436	size_t data_len;
3437	u_int32_t tcode;
3438	Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3439	int r;
3440
3441	if (channel_proxy_upstream(c, type, seq, ssh))
3442	return 0;
3443	if (c->type != SSH_CHANNEL_OPEN4) {
3444	logit("channel %d: ext data for non open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3444 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: ext data for non open" , c->self);
3445	return 0;
3446	}
3447	if (c->flags & CHAN_EOF_RCVD0x08) {
3448	if (ssh->compat & SSH_BUG_EXTEOF0x00200000)
3449	debug("channel %d: accepting ext data after eof",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3450 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self)
3450	c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3450 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self);
3451	else
3452	ssh_packet_disconnect(ssh, "Received extended_data "
3453	"after EOF on channel %d.", c->self);
3454	}
3455
3456	if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3457	error_fr(r, "parse tcode")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3457 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse tcode");
3458	ssh_packet_disconnect(ssh, "Invalid extended_data message");
3459	}
3460	if (c->efd == -1 \|\|
3461	c->extended_usage != CHAN_EXTENDED_WRITE2 \|\|
3462	tcode != SSH2_EXTENDED_DATA_STDERR1) {
3463	logit("channel %d: bad ext data", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3463 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: bad ext data" , c->self);
3464	return 0;
3465	}
3466	if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 \|\|
3467	(r = sshpkt_get_end(ssh)) != 0) {
3468	error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3468 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data");
3469	ssh_packet_disconnect(ssh, "Invalid extended_data message");
3470	}
3471
3472	if (data_len > c->local_window) {
3473	logit("channel %d: rcvd too much extended_data %zu, win %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3474 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window)
3474	c->self, data_len, c->local_window)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3474 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window);
3475	return 0;
3476	}
3477	debug2("channel %d: rcvd ext data %zu", c->self, data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3477 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd ext data %zu" , c->self, data_len);
3478	/* XXX sshpkt_getb? */
3479	if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3480	error_fr(r, "append")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3480 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "append");
3481	c->local_window -= data_len;
3482	return 0;
3483	}
3484
3485	int
3486	channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
3487	{
3488	Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
3489	int r;
3490
3491	if ((r = sshpkt_get_end(ssh)) != 0) {
3492	error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3492 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data");
3493	ssh_packet_disconnect(ssh, "Invalid ieof message");
3494	}
3495
3496	if (channel_proxy_upstream(c, type, seq, ssh))
3497	return 0;
3498	chan_rcvd_ieof(ssh, c);
3499
3500	/* XXX force input close */
3501	if (c->force_drain && c->istate == CHAN_INPUT_OPEN0) {
3502	debug("channel %d: FORCE input drain", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3502 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: FORCE input drain" , c->self);
3503	c->istate = CHAN_INPUT_WAIT_DRAIN1;
3504	if (sshbuf_len(c->input) == 0)
3505	chan_ibuf_empty(ssh, c);
3506	}
3507	return 0;
3508	}
3509
3510	int
3511	channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
3512	{
3513	Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
3514	int r;
3515
3516	if (channel_proxy_upstream(c, type, seq, ssh))
3517	return 0;
3518	if ((r = sshpkt_get_end(ssh)) != 0) {
3519	error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3519 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data");
3520	ssh_packet_disconnect(ssh, "Invalid oclose message");
3521	}
3522	chan_rcvd_oclose(ssh, c);
3523	return 0;
3524	}
3525
3526	int
3527	channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
3528	{
3529	Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3530	u_int32_t remote_window, remote_maxpacket;
3531	int r;
3532
3533	if (channel_proxy_upstream(c, type, seq, ssh))
3534	return 0;
3535	if (c->type != SSH_CHANNEL_OPENING3)
3536	ssh_packet_disconnect(ssh, "Received open confirmation for "
3537	"non-opening channel %d.", c->self);
3538	/*
3539	* Record the remote channel number and mark that the channel
3540	* is now open.
3541	*/
3542	if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 \|\|
3543	(r = sshpkt_get_u32(ssh, &remote_window)) != 0 \|\|
3544	(r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 \|\|
3545	(r = sshpkt_get_end(ssh)) != 0) {
3546	error_fr(r, "window/maxpacket")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3546 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "window/maxpacket");
3547	ssh_packet_disconnect(ssh, "Invalid open confirmation message");
3548	}
3549
3550	c->have_remote_id = 1;
3551	c->remote_window = remote_window;
3552	c->remote_maxpacket = remote_maxpacket;
3553	c->type = SSH_CHANNEL_OPEN4;
3554	if (c->open_confirm) {
3555	debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3555 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self);
3556	c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3557	debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3557 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self);
3558	}
3559	channel_set_used_time(ssh, c);
3560	debug2("channel %d: open confirm rwindow %u rmax %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3561 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket)
3561	c->remote_window, c->remote_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3561 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket);
3562	return 0;
3563	}
3564
3565	static char *
3566	reason2txt(int reason)
3567	{
3568	switch (reason) {
3569	case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1:
3570	return "administratively prohibited";
3571	case SSH2_OPEN_CONNECT_FAILED2:
3572	return "connect failed";
3573	case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE3:
3574	return "unknown channel type";
3575	case SSH2_OPEN_RESOURCE_SHORTAGE4:
3576	return "resource shortage";
3577	}
3578	return "unknown reason";
3579	}
3580
3581	int
3582	channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
3583	{
3584	Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3585	u_int32_t reason;
3586	char msg = NULL((void )0);
3587	int r;
3588
3589	if (channel_proxy_upstream(c, type, seq, ssh))
3590	return 0;
3591	if (c->type != SSH_CHANNEL_OPENING3)
3592	ssh_packet_disconnect(ssh, "Received open failure for "
3593	"non-opening channel %d.", c->self);
3594	if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3595	error_fr(r, "parse reason")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3595 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse reason");
3596	ssh_packet_disconnect(ssh, "Invalid open failure message");
3597	}
3598	/* skip language */
3599	if ((r = sshpkt_get_cstring(ssh, &msg, NULL((void *)0))) != 0 \|\|
3600	(r = sshpkt_get_string_direct(ssh, NULL((void )0), NULL((void )0))) != 0 \|\|
3601	(r = sshpkt_get_end(ssh)) != 0) {
3602	error_fr(r, "parse msg/lang")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3602 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse msg/lang");
3603	ssh_packet_disconnect(ssh, "Invalid open failure message");
3604	}
3605	logit("channel %d: open failed: %s%s%s", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3606 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : "")
3606	reason2txt(reason), msg ? ": ": "", msg ? msg : "")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3606 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3607	free(msg);
3608	if (c->open_confirm) {
3609	debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3609 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self);
3610	c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3611	debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3611 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self);
3612	}
3613	/* Schedule the channel for cleanup/deletion. */
3614	chan_mark_dead(ssh, c);
3615	return 0;
3616	}
3617
3618	int
3619	channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
3620	{
3621	int id = channel_parse_id(ssh, __func__, "window adjust");
3622	Channel *c;
3623	u_int32_t adjust;
3624	u_int new_rwin;
3625	int r;
3626
3627	if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) {
3628	logit("Received window adjust for non-open channel %d.", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3628 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received window adjust for non-open channel %d." , id);
3629	return 0;
3630	}
3631
3632	if (channel_proxy_upstream(c, type, seq, ssh))
3633	return 0;
3634	if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 \|\|
3635	(r = sshpkt_get_end(ssh)) != 0) {
3636	error_fr(r, "parse adjust")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3636 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse adjust");
3637	ssh_packet_disconnect(ssh, "Invalid window adjust message");
3638	}
3639	debug2("channel %d: rcvd adjust %u", c->self, adjust)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3639 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd adjust %u" , c->self, adjust);
3640	if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
3641	fatal("channel %d: adjust %u overflows remote window %u",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3642 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window)
3642	c->self, adjust, c->remote_window)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3642 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window);
3643	}
3644	c->remote_window = new_rwin;
3645	return 0;
3646	}
3647
3648	int
3649	channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
3650	{
3651	int id = channel_parse_id(ssh, __func__, "status confirm");
3652	Channel *c;
3653	struct channel_confirm *cc;
3654
3655	/* Reset keepalive timeout */
3656	ssh_packet_set_alive_timeouts(ssh, 0);
3657
3658	debug2_f("type %d id %d", type, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3658 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "type %d id %d", type, id);
3659
3660	if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) {
3661	logit_f("%d: unknown", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3661 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown", id);
3662	return 0;
3663	}
3664	if (channel_proxy_upstream(c, type, seq, ssh))
3665	return 0;
3666	if (sshpkt_get_end(ssh) != 0)
3667	ssh_packet_disconnect(ssh, "Invalid status confirm message");
3668	if ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) == NULL((void *)0))
3669	return 0;
3670	cc->cb(ssh, type, c, cc->ctx);
3671	TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void )0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; (cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0);
3672	freezero(cc, sizeof(*cc));
3673	return 0;
3674	}
3675
3676	/* -- tcp forwarding */
3677
3678	void
3679	channel_set_af(struct ssh *ssh, int af)
3680	{
3681	ssh->chanctxt->IPv4or6 = af;
3682	}
3683
3684
3685	/*
3686	* Determine whether or not a port forward listens to loopback, the
3687	* specified address or wildcard. On the client, a specified bind
3688	* address will always override gateway_ports. On the server, a
3689	* gateway_ports of 1 (``yes'') will override the client's specification
3690	* and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3691	* will bind to whatever address the client asked for.
3692	*
3693	* Special-case listen_addrs are:
3694	*
3695	* "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3696	* "" (empty string), "*" -> wildcard v4/v6
3697	* "localhost" -> loopback v4/v6
3698	* "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
3699	*/
3700	static const char *
3701	channel_fwd_bind_addr(struct ssh ssh, const char listen_addr, int *wildcardp,
3702	int is_client, struct ForwardOptions *fwd_opts)
3703	{
3704	const char addr = NULL((void )0);
3705	int wildcard = 0;
3706
3707	if (listen_addr == NULL((void *)0)) {
3708	/* No address specified: default to gateway_ports setting */
3709	if (fwd_opts->gateway_ports)
3710	wildcard = 1;
3711	} else if (fwd_opts->gateway_ports \|\| is_client) {
3712	if (((ssh->compat & SSH_OLD_FORWARD_ADDR0x01000000) &&
3713	strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) \|\|
3714	listen_addr == '\0' \|\| strcmp(listen_addr, "") == 0 \|\|
3715	(!is_client && fwd_opts->gateway_ports == 1)) {
3716	wildcard = 1;
3717	/*
3718	* Notify client if they requested a specific listen
3719	* address and it was overridden.
3720	*/
3721	if (*listen_addr != '\0' &&
3722	strcmp(listen_addr, "0.0.0.0") != 0 &&
3723	strcmp(listen_addr, "*") != 0) {
3724	ssh_packet_send_debug(ssh,
3725	"Forwarding listen address "
3726	"\"%s\" overridden by server "
3727	"GatewayPorts", listen_addr);
3728	}
3729	} else if (strcmp(listen_addr, "localhost") != 0 \|\|
3730	strcmp(listen_addr, "127.0.0.1") == 0 \|\|
3731	strcmp(listen_addr, "::1") == 0) {
3732	/*
3733	* Accept explicit localhost address when
3734	* GatewayPorts=yes. The "localhost" hostname is
3735	* deliberately skipped here so it will listen on all
3736	* available local address families.
3737	*/
3738	addr = listen_addr;
3739	}
3740	} else if (strcmp(listen_addr, "127.0.0.1") == 0 \|\|
3741	strcmp(listen_addr, "::1") == 0) {
3742	/*
3743	* If a specific IPv4/IPv6 localhost address has been
3744	* requested then accept it even if gateway_ports is in
3745	* effect. This allows the client to prefer IPv4 or IPv6.
3746	*/
3747	addr = listen_addr;
3748	}
3749	if (wildcardp != NULL((void *)0))
3750	*wildcardp = wildcard;
3751	return addr;
3752	}
3753
3754	static int
3755	channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3756	struct Forward fwd, int allocated_listen_port,
3757	struct ForwardOptions *fwd_opts)
3758	{
3759	Channel *c;
3760	int sock, r, success = 0, wildcard = 0, is_client;
3761	struct addrinfo hints, ai, aitop;
3762	const char host, addr;
3763	char ntop[NI_MAXHOST256], strport[NI_MAXSERV32];
3764	in_port_t *lport_p;
3765
3766	is_client = (type == SSH_CHANNEL_PORT_LISTENER2);
3767
3768	if (is_client && fwd->connect_path != NULL((void *)0)) {
3769	host = fwd->connect_path;
3770	} else {
3771	host = (type == SSH_CHANNEL_RPORT_LISTENER11) ?
3772	fwd->listen_host : fwd->connect_host;
3773	if (host == NULL((void *)0)) {
3774	error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3774 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." );
3775	return 0;
3776	}
3777	if (strlen(host) >= NI_MAXHOST256) {
3778	error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3778 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." );
3779	return 0;
3780	}
3781	}
3782
3783	/* Determine the bind address, cf. channel_fwd_bind_addr() comment */
3784	addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
3785	is_client, fwd_opts);
3786	debug3_f("type %d wildcard %d addr %s", type, wildcard,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3787 , 1, SYSLOG_LEVEL_DEBUG3, ((void )0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void )0)) ? "NULL" : addr)
3787	(addr == NULL) ? "NULL" : addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3787 , 1, SYSLOG_LEVEL_DEBUG3, ((void )0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void )0)) ? "NULL" : addr);
3788
3789	/*
3790	* getaddrinfo returns a loopback address if the hostname is
3791	* set to NULL and hints.ai_flags is not AI_PASSIVE
3792	*/
3793	memset(&hints, 0, sizeof(hints));
3794	hints.ai_family = ssh->chanctxt->IPv4or6;
3795	hints.ai_flags = wildcard ? AI_PASSIVE1 : 0;
3796	hints.ai_socktype = SOCK_STREAM1;
3797	snprintf(strport, sizeof strport, "%d", fwd->listen_port);
3798	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3799	if (addr == NULL((void *)0)) {
3800	/* This really shouldn't happen */
3801	ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
3802	ssh_gai_strerror(r));
3803	} else {
3804	error_f("getaddrinfo(%.64s): %s", addr,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3805 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r))
3805	ssh_gai_strerror(r))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3805 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r));
3806	}
3807	return 0;
3808	}
3809	if (allocated_listen_port != NULL((void *)0))
3810	*allocated_listen_port = 0;
3811	for (ai = aitop; ai; ai = ai->ai_next) {
3812	switch (ai->ai_family) {
3813	case AF_INET2:
3814	lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3815	sin_port;
3816	break;
3817	case AF_INET624:
3818	lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3819	sin6_port;
3820	break;
3821	default:
3822	continue;
3823	}
3824	/*
3825	* If allocating a port for -R forwards, then use the
3826	* same port for all address families.
3827	*/
3828	if (type == SSH_CHANNEL_RPORT_LISTENER11 &&
3829	fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) &&
3830	*allocated_listen_port > 0)
3831	lport_p = htons(allocated_listen_port)(__uint16_t)(__builtin_constant_p(allocated_listen_port) ? ( __uint16_t)(((__uint16_t)(allocated_listen_port) & 0xffU ) << 8 \| ((__uint16_t)(allocated_listen_port) & 0xff00U ) >> 8) : __swap16md(allocated_listen_port));
3832
3833	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
3834	strport, sizeof(strport),
3835	NI_NUMERICHOST1\|NI_NUMERICSERV2) != 0) {
3836	error_f("getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3836 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getnameinfo failed");
3837	continue;
3838	}
3839	/* Create a port to listen for the host. */
3840	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3841	if (sock == -1) {
3842	/* this is no error since kernel may not support ipv6 */
3843	verbose("socket [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3844 , 0, SYSLOG_LEVEL_VERBOSE, ((void )0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((__errno())))
3844	strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3844 , 0, SYSLOG_LEVEL_VERBOSE, ((void )0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((__errno())));
3845	continue;
3846	}
3847
3848	set_reuseaddr(sock);
3849
3850	debug("Local forwarding listening on %s port %s.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3851 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport)
3851	ntop, strport)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3851 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport);
3852
3853	/* Bind the socket to the address. */
3854	if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
3855	/*
3856	* address can be in if use ipv6 address is
3857	* already bound
3858	*/
3859	verbose("bind [%s]:%s: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3860 , 0, SYSLOG_LEVEL_VERBOSE, ((void )0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((__errno())))
3860	ntop, strport, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3860 , 0, SYSLOG_LEVEL_VERBOSE, ((void )0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((__errno())));
3861	close(sock);
3862	continue;
3863	}
3864	/* Start listening for connections on the socket. */
3865	if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) {
3866	error("listen [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3867 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((__errno())))
3867	strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3867 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((__errno())));
3868	close(sock);
3869	continue;
3870	}
3871
3872	/*
3873	* fwd->listen_port == 0 requests a dynamically allocated port -
3874	* record what we got.
3875	*/
3876	if (type == SSH_CHANNEL_RPORT_LISTENER11 &&
3877	fwd->listen_port == 0 &&
3878	allocated_listen_port != NULL((void *)0) &&
3879	*allocated_listen_port == 0) {
3880	*allocated_listen_port = get_local_port(sock);
3881	debug("Allocated listen port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3882 , 0, SYSLOG_LEVEL_DEBUG1, ((void )0), "Allocated listen port %d" , allocated_listen_port)
3882	allocated_listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3882 , 0, SYSLOG_LEVEL_DEBUG1, ((void )0), "Allocated listen port %d" , *allocated_listen_port);
3883	}
3884
3885	/* Allocate a channel number for the socket. */
3886	c = channel_new(ssh, "port-listener", type, sock, sock, -1,
3887	CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024),
3888	0, "port listener", 1);
3889	c->path = xstrdup(host);
3890	c->host_port = fwd->connect_port;
3891	c->listening_addr = addr == NULL((void )0) ? NULL((void )0) : xstrdup(addr);
3892	if (fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) &&
3893	!(ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000))
3894	c->listening_port = *allocated_listen_port;
3895	else
3896	c->listening_port = fwd->listen_port;
3897	success = 1;
3898	}
3899	if (success == 0)
3900	error_f("cannot listen to port: %d", fwd->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3900 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "cannot listen to port: %d" , fwd->listen_port);
3901	freeaddrinfo(aitop);
3902	return success;
3903	}
3904
3905	static int
3906	channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3907	struct Forward fwd, struct ForwardOptions fwd_opts)
3908	{
3909	struct sockaddr_un sunaddr;
3910	const char *path;
3911	Channel *c;
3912	int port, sock;
3913	mode_t omask;
3914
3915	switch (type) {
3916	case SSH_CHANNEL_UNIX_LISTENER18:
3917	if (fwd->connect_path != NULL((void *)0)) {
3918	if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3919	error("Local connecting path too long: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3920 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path)
3920	fwd->connect_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3920 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path);
3921	return 0;
3922	}
3923	path = fwd->connect_path;
3924	port = PORT_STREAMLOCAL-2;
3925	} else {
3926	if (fwd->connect_host == NULL((void *)0)) {
3927	error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3927 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." );
3928	return 0;
3929	}
3930	if (strlen(fwd->connect_host) >= NI_MAXHOST256) {
3931	error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3931 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." );
3932	return 0;
3933	}
3934	path = fwd->connect_host;
3935	port = fwd->connect_port;
3936	}
3937	break;
3938	case SSH_CHANNEL_RUNIX_LISTENER19:
3939	path = fwd->listen_path;
3940	port = PORT_STREAMLOCAL-2;
3941	break;
3942	default:
3943	error_f("unexpected channel type %d", type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3943 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unexpected channel type %d" , type);
3944	return 0;
3945	}
3946
3947	if (fwd->listen_path == NULL((void *)0)) {
3948	error("No forward path name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3948 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward path name." );
3949	return 0;
3950	}
3951	if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3952	error("Local listening path too long: %s", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3952 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local listening path too long: %s" , fwd->listen_path);
3953	return 0;
3954	}
3955
3956	debug3_f("type %d path %s", type, fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3956 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d path %s", type , fwd->listen_path);
3957
3958	/* Start a Unix domain listener. */
3959	omask = umask(fwd_opts->streamlocal_bind_mask);
3960	sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG128,
3961	fwd_opts->streamlocal_bind_unlink);
3962	umask(omask);
3963	if (sock < 0)
3964	return 0;
3965
3966	debug("Local forwarding listening on path %s.", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3966 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on path %s." , fwd->listen_path);
3967
3968	/* Allocate a channel number for the socket. */
3969	c = channel_new(ssh, "unix-listener", type, sock, sock, -1,
3970	CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024),
3971	0, "unix listener", 1);
3972	c->path = xstrdup(path);
3973	c->host_port = port;
3974	c->listening_port = PORT_STREAMLOCAL-2;
3975	c->listening_addr = xstrdup(fwd->listen_path);
3976	return 1;
3977	}
3978
3979	static int
3980	channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3981	const char *host, u_short port)
3982	{
3983	u_int i;
3984	int found = 0;
3985
3986	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3987	Channel *c = ssh->chanctxt->channels[i];
3988	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_RPORT_LISTENER11)
3989	continue;
3990	if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3991	debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3991 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i);
3992	channel_free(ssh, c);
3993	found = 1;
3994	}
3995	}
3996
3997	return found;
3998	}
3999
4000	static int
4001	channel_cancel_rport_listener_streamlocal(struct ssh ssh, const char path)
4002	{
4003	u_int i;
4004	int found = 0;
4005
4006	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
4007	Channel *c = ssh->chanctxt->channels[i];
4008	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_RUNIX_LISTENER19)
4009	continue;
4010	if (c->path == NULL((void *)0))
4011	continue;
4012	if (strcmp(c->path, path) == 0) {
4013	debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4013 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i);
4014	channel_free(ssh, c);
4015	found = 1;
4016	}
4017	}
4018
4019	return found;
4020	}
4021
4022	int
4023	channel_cancel_rport_listener(struct ssh ssh, struct Forward fwd)
4024	{
4025	if (fwd->listen_path != NULL((void *)0)) {
4026	return channel_cancel_rport_listener_streamlocal(ssh,
4027	fwd->listen_path);
4028	} else {
4029	return channel_cancel_rport_listener_tcpip(ssh,
4030	fwd->listen_host, fwd->listen_port);
4031	}
4032	}
4033
4034	static int
4035	channel_cancel_lport_listener_tcpip(struct ssh *ssh,
4036	const char *lhost, u_short lport, int cport,
4037	struct ForwardOptions *fwd_opts)
4038	{
4039	u_int i;
4040	int found = 0;
4041	const char addr = channel_fwd_bind_addr(ssh, lhost, NULL((void )0), 1, fwd_opts);
4042
4043	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
4044	Channel *c = ssh->chanctxt->channels[i];
4045	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_PORT_LISTENER2)
4046	continue;
4047	if (c->listening_port != lport)
4048	continue;
4049	if (cport == CHANNEL_CANCEL_PORT_STATIC-1) {
4050	/* skip dynamic forwardings */
4051	if (c->host_port == 0)
4052	continue;
4053	} else {
4054	if (c->host_port != cport)
4055	continue;
4056	}
4057	if ((c->listening_addr == NULL((void )0) && addr != NULL((void )0)) \|\|
4058	(c->listening_addr != NULL((void )0) && addr == NULL((void )0)))
4059	continue;
4060	if (addr == NULL((void *)0) \|\| strcmp(c->listening_addr, addr) == 0) {
4061	debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4061 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i);
4062	channel_free(ssh, c);
4063	found = 1;
4064	}
4065	}
4066
4067	return found;
4068	}
4069
4070	static int
4071	channel_cancel_lport_listener_streamlocal(struct ssh ssh, const char path)
4072	{
4073	u_int i;
4074	int found = 0;
4075
4076	if (path == NULL((void *)0)) {
4077	error_f("no path specified.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4077 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no path specified.");
4078	return 0;
4079	}
4080
4081	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
4082	Channel *c = ssh->chanctxt->channels[i];
4083	if (c == NULL((void *)0) \|\| c->type != SSH_CHANNEL_UNIX_LISTENER18)
4084	continue;
4085	if (c->listening_addr == NULL((void *)0))
4086	continue;
4087	if (strcmp(c->listening_addr, path) == 0) {
4088	debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4088 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i);
4089	channel_free(ssh, c);
4090	found = 1;
4091	}
4092	}
4093
4094	return found;
4095	}
4096
4097	int
4098	channel_cancel_lport_listener(struct ssh *ssh,
4099	struct Forward fwd, int cport, struct ForwardOptions fwd_opts)
4100	{
4101	if (fwd->listen_path != NULL((void *)0)) {
4102	return channel_cancel_lport_listener_streamlocal(ssh,
4103	fwd->listen_path);
4104	} else {
4105	return channel_cancel_lport_listener_tcpip(ssh,
4106	fwd->listen_host, fwd->listen_port, cport, fwd_opts);
4107	}
4108	}
4109
4110	/* protocol local port fwd, used by ssh */
4111	int
4112	channel_setup_local_fwd_listener(struct ssh *ssh,
4113	struct Forward fwd, struct ForwardOptions fwd_opts)
4114	{
4115	if (fwd->listen_path != NULL((void *)0)) {
4116	return channel_setup_fwd_listener_streamlocal(ssh,
4117	SSH_CHANNEL_UNIX_LISTENER18, fwd, fwd_opts);
4118	} else {
4119	return channel_setup_fwd_listener_tcpip(ssh,
4120	SSH_CHANNEL_PORT_LISTENER2, fwd, NULL((void *)0), fwd_opts);
4121	}
4122	}
4123
4124	/* Matches a remote forwarding permission against a requested forwarding */
4125	static int
4126	remote_open_match(struct permission allowed_open, struct Forward fwd)
4127	{
4128	int ret;
4129	char *lhost;
4130
4131	/* XXX add ACLs for streamlocal */
4132	if (fwd->listen_path != NULL((void *)0))
4133	return 1;
4134
4135	if (fwd->listen_host == NULL((void )0) \|\| allowed_open->listen_host == NULL((void )0))
4136	return 0;
4137
4138	if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT0 &&
4139	allowed_open->listen_port != fwd->listen_port)
4140	return 0;
4141
4142	/* Match hostnames case-insensitively */
4143	lhost = xstrdup(fwd->listen_host);
4144	lowercase(lhost);
4145	ret = match_pattern(lhost, allowed_open->listen_host);
4146	free(lhost);
4147
4148	return ret;
4149	}
4150
4151	/* Checks whether a requested remote forwarding is permitted */
4152	static int
4153	check_rfwd_permission(struct ssh ssh, struct Forward fwd)
4154	{
4155	struct ssh_channels *sc = ssh->chanctxt;
4156	struct permission_set *pset = &sc->remote_perms;
4157	u_int i, permit, permit_adm = 1;
4158	struct permission *perm;
4159
4160	/* XXX apply GatewayPorts override before checking? */
4161
4162	permit = pset->all_permitted;
4163	if (!permit) {
4164	for (i = 0; i < pset->num_permitted_user; i++) {
4165	perm = &pset->permitted_user[i];
4166	if (remote_open_match(perm, fwd)) {
4167	permit = 1;
4168	break;
4169	}
4170	}
4171	}
4172
4173	if (pset->num_permitted_admin > 0) {
4174	permit_adm = 0;
4175	for (i = 0; i < pset->num_permitted_admin; i++) {
4176	perm = &pset->permitted_admin[i];
4177	if (remote_open_match(perm, fwd)) {
4178	permit_adm = 1;
4179	break;
4180	}
4181	}
4182	}
4183
4184	return permit && permit_adm;
4185	}
4186
4187	/* protocol v2 remote port fwd, used by sshd */
4188	int
4189	channel_setup_remote_fwd_listener(struct ssh ssh, struct Forward fwd,
4190	int allocated_listen_port, struct ForwardOptions fwd_opts)
4191	{
4192	if (!check_rfwd_permission(ssh, fwd)) {
4193	ssh_packet_send_debug(ssh, "port forwarding refused");
4194	if (fwd->listen_path != NULL((void *)0))
4195	/* XXX always allowed, see remote_open_match() */
4196	logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path )
4197	"remote forward to path \"%.100s\", "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path )
4198	"but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path )
4199	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path )
4200	fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path );
4201	else if(fwd->listen_host != NULL((void *)0))
4202	logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port)
4203	"remote forward to host %.100s port %d, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port)
4204	"but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port)
4205	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port)
4206	fwd->listen_host, fwd->listen_port )sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port);
4207	else
4208	logit("Received request from %.100s port %d to remote "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh))
4209	"forward, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh))
4210	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh));
4211	return 0;
4212	}
4213	if (fwd->listen_path != NULL((void *)0)) {
4214	return channel_setup_fwd_listener_streamlocal(ssh,
4215	SSH_CHANNEL_RUNIX_LISTENER19, fwd, fwd_opts);
4216	} else {
4217	return channel_setup_fwd_listener_tcpip(ssh,
4218	SSH_CHANNEL_RPORT_LISTENER11, fwd, allocated_listen_port,
4219	fwd_opts);
4220	}
4221	}
4222
4223	/*
4224	* Translate the requested rfwd listen host to something usable for
4225	* this server.
4226	*/
4227	static const char *
4228	channel_rfwd_bind_host(const char *listen_host)
4229	{
4230	if (listen_host == NULL((void *)0)) {
4231	return "localhost";
4232	} else if (listen_host == '\0' \|\| strcmp(listen_host, "") == 0) {
4233	return "";
4234	} else
4235	return listen_host;
4236	}
4237
4238	/*
4239	* Initiate forwarding of connections to port "port" on remote host through
4240	* the secure channel to host:port from local side.
4241	* Returns handle (index) for updating the dynamic listen port with
4242	* channel_update_permission().
4243	*/
4244	int
4245	channel_request_remote_forwarding(struct ssh ssh, struct Forward fwd)
4246	{
4247	int r, success = 0, idx = -1;
4248	const char host_to_connect, listen_host, *listen_path;
4249	int port_to_connect, listen_port;
4250
4251	/* Send the forward request to the remote side. */
4252	if (fwd->listen_path != NULL((void *)0)) {
4253	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
4254	(r = sshpkt_put_cstring(ssh,
4255	"streamlocal-forward@openssh.com")) != 0 \|\|
4256	(r = sshpkt_put_u8(ssh, 1)) != 0 \|\| /* want reply */
4257	(r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 \|\|
4258	(r = sshpkt_send(ssh)) != 0 \|\|
4259	(r = ssh_packet_write_wait(ssh)) != 0)
4260	fatal_fr(r, "request streamlocal")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4260 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request streamlocal");
4261	} else {
4262	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
4263	(r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 \|\|
4264	(r = sshpkt_put_u8(ssh, 1)) != 0 \|\| /* want reply */
4265	(r = sshpkt_put_cstring(ssh,
4266	channel_rfwd_bind_host(fwd->listen_host))) != 0 \|\|
4267	(r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 \|\|
4268	(r = sshpkt_send(ssh)) != 0 \|\|
4269	(r = ssh_packet_write_wait(ssh)) != 0)
4270	fatal_fr(r, "request tcpip-forward")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4270 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request tcpip-forward");
4271	}
4272	/* Assume that server accepts the request */
4273	success = 1;
4274	if (success) {
4275	/* Record that connection to this host/port is permitted. */
4276	host_to_connect = listen_host = listen_path = NULL((void *)0);
4277	port_to_connect = listen_port = 0;
	Although the value stored to 'listen_port' is used in the enclosing expression, the value is never actually read from 'listen_port'
4278	if (fwd->connect_path != NULL((void *)0)) {
4279	host_to_connect = fwd->connect_path;
4280	port_to_connect = PORT_STREAMLOCAL-2;
4281	} else {
4282	host_to_connect = fwd->connect_host;
4283	port_to_connect = fwd->connect_port;
4284	}
4285	if (fwd->listen_path != NULL((void *)0)) {
4286	listen_path = fwd->listen_path;
4287	listen_port = PORT_STREAMLOCAL-2;
4288	} else {
4289	listen_host = fwd->listen_host;
4290	listen_port = fwd->listen_port;
4291	}
4292	idx = permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1),
4293	host_to_connect, port_to_connect,
4294	listen_host, listen_path, listen_port, NULL((void *)0));
4295	}
4296	return idx;
4297	}
4298
4299	static int
4300	open_match(struct permission allowed_open, const char requestedhost,
4301	int requestedport)
4302	{
4303	if (allowed_open->host_to_connect == NULL((void *)0))
4304	return 0;
4305	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT0 &&
4306	allowed_open->port_to_connect != requestedport)
4307	return 0;
4308	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST"*") != 0 &&
4309	strcmp(allowed_open->host_to_connect, requestedhost) != 0)
4310	return 0;
4311	return 1;
4312	}
4313
4314	/*
4315	* Note that in the listen host/port case
4316	* we don't support FWD_PERMIT_ANY_PORT and
4317	* need to translate between the configured-host (listen_host)
4318	* and what we've sent to the remote server (channel_rfwd_bind_host)
4319	*/
4320	static int
4321	open_listen_match_tcpip(struct permission *allowed_open,
4322	const char *requestedhost, u_short requestedport, int translate)
4323	{
4324	const char *allowed_host;
4325
4326	if (allowed_open->host_to_connect == NULL((void *)0))
4327	return 0;
4328	if (allowed_open->listen_port != requestedport)
4329	return 0;
4330	if (!translate && allowed_open->listen_host == NULL((void *)0) &&
4331	requestedhost == NULL((void *)0))
4332	return 1;
4333	allowed_host = translate ?
4334	channel_rfwd_bind_host(allowed_open->listen_host) :
4335	allowed_open->listen_host;
4336	if (allowed_host == NULL((void )0) \|\| requestedhost == NULL((void )0) \|\|
4337	strcmp(allowed_host, requestedhost) != 0)
4338	return 0;
4339	return 1;
4340	}
4341
4342	static int
4343	open_listen_match_streamlocal(struct permission *allowed_open,
4344	const char *requestedpath)
4345	{
4346	if (allowed_open->host_to_connect == NULL((void *)0))
4347	return 0;
4348	if (allowed_open->listen_port != PORT_STREAMLOCAL-2)
4349	return 0;
4350	if (allowed_open->listen_path == NULL((void *)0) \|\|
4351	strcmp(allowed_open->listen_path, requestedpath) != 0)
4352	return 0;
4353	return 1;
4354	}
4355
4356	/*
4357	* Request cancellation of remote forwarding of connection host:port from
4358	* local side.
4359	*/
4360	static int
4361	channel_request_rforward_cancel_tcpip(struct ssh *ssh,
4362	const char *host, u_short port)
4363	{
4364	struct ssh_channels *sc = ssh->chanctxt;
4365	struct permission_set *pset = &sc->local_perms;
4366	int r;
4367	u_int i;
4368	struct permission perm = NULL((void )0);
4369
4370	for (i = 0; i < pset->num_permitted_user; i++) {
4371	perm = &pset->permitted_user[i];
4372	if (open_listen_match_tcpip(perm, host, port, 0))
4373	break;
4374	perm = NULL((void *)0);
4375	}
4376	if (perm == NULL((void *)0)) {
4377	debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4377 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" );
4378	return -1;
4379	}
4380	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
4381	(r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 \|\|
4382	(r = sshpkt_put_u8(ssh, 0)) != 0 \|\| /* want reply */
4383	(r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 \|\|
4384	(r = sshpkt_put_u32(ssh, port)) != 0 \|\|
4385	(r = sshpkt_send(ssh)) != 0)
4386	fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4386 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel");
4387
4388	fwd_perm_clear(perm); /* unregister */
4389
4390	return 0;
4391	}
4392
4393	/*
4394	* Request cancellation of remote forwarding of Unix domain socket
4395	* path from local side.
4396	*/
4397	static int
4398	channel_request_rforward_cancel_streamlocal(struct ssh ssh, const char path)
4399	{
4400	struct ssh_channels *sc = ssh->chanctxt;
4401	struct permission_set *pset = &sc->local_perms;
4402	int r;
4403	u_int i;
4404	struct permission perm = NULL((void )0);
4405
4406	for (i = 0; i < pset->num_permitted_user; i++) {
4407	perm = &pset->permitted_user[i];
4408	if (open_listen_match_streamlocal(perm, path))
4409	break;
4410	perm = NULL((void *)0);
4411	}
4412	if (perm == NULL((void *)0)) {
4413	debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4413 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" );
4414	return -1;
4415	}
4416	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 \|\|
4417	(r = sshpkt_put_cstring(ssh,
4418	"cancel-streamlocal-forward@openssh.com")) != 0 \|\|
4419	(r = sshpkt_put_u8(ssh, 0)) != 0 \|\| /* want reply */
4420	(r = sshpkt_put_cstring(ssh, path)) != 0 \|\|
4421	(r = sshpkt_send(ssh)) != 0)
4422	fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4422 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel");
4423
4424	fwd_perm_clear(perm); /* unregister */
4425
4426	return 0;
4427	}
4428
4429	/*
4430	* Request cancellation of remote forwarding of a connection from local side.
4431	*/
4432	int
4433	channel_request_rforward_cancel(struct ssh ssh, struct Forward fwd)
4434	{
4435	if (fwd->listen_path != NULL((void *)0)) {
4436	return channel_request_rforward_cancel_streamlocal(ssh,
4437	fwd->listen_path);
4438	} else {
4439	return channel_request_rforward_cancel_tcpip(ssh,
4440	fwd->listen_host,
4441	fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
4442	}
4443	}
4444
4445	/*
4446	* Permits opening to any host/port if permitted_user[] is empty. This is
4447	* usually called by the server, because the user could connect to any port
4448	* anyway, and the server has no way to know but to trust the client anyway.
4449	*/
4450	void
4451	channel_permit_all(struct ssh *ssh, int where)
4452	{
4453	struct permission_set *pset = permission_set_get(ssh, where);
4454
4455	if (pset->num_permitted_user == 0)
4456	pset->all_permitted = 1;
4457	}
4458
4459	/*
4460	* Permit the specified host/port for forwarding.
4461	*/
4462	void
4463	channel_add_permission(struct ssh *ssh, int who, int where,
4464	char *host, int port)
4465	{
4466	int local = where == FORWARD_LOCAL(1<<1);
4467	struct permission_set *pset = permission_set_get(ssh, where);
4468
4469	debug("allow %s forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4470 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port)
4470	fwd_ident(who, where), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4470 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port);
4471	/*
4472	* Remote forwards set listen_host/port, local forwards set
4473	* host/port_to_connect.
4474	*/
4475	permission_set_add(ssh, who, where,
4476	local ? host : 0, local ? port : 0,
4477	local ? NULL((void )0) : host, NULL((void )0), local ? 0 : port, NULL((void *)0));
4478	pset->all_permitted = 0;
4479	}
4480
4481	/*
4482	* Administratively disable forwarding.
4483	*/
4484	void
4485	channel_disable_admin(struct ssh *ssh, int where)
4486	{
4487	channel_clear_permission(ssh, FORWARD_ADM0x100, where);
4488	permission_set_add(ssh, FORWARD_ADM0x100, where,
4489	NULL((void )0), 0, NULL((void )0), NULL((void )0), 0, NULL((void )0));
4490	}
4491
4492	/*
4493	* Clear a list of permitted opens.
4494	*/
4495	void
4496	channel_clear_permission(struct ssh *ssh, int who, int where)
4497	{
4498	struct permission **permp;
4499	u_int *npermp;
4500
4501	permission_set_get_array(ssh, who, where, &permp, &npermp);
4502	permp = xrecallocarray(permp, npermp, 0, sizeof(*permp));
4503	*npermp = 0;
4504	}
4505
4506	/*
4507	* Update the listen port for a dynamic remote forward, after
4508	* the actual 'newport' has been allocated. If 'newport' < 0 is
4509	* passed then they entry will be invalidated.
4510	*/
4511	void
4512	channel_update_permission(struct ssh *ssh, int idx, int newport)
4513	{
4514	struct permission_set *pset = &ssh->chanctxt->local_perms;
4515
4516	if (idx < 0 \|\| (u_int)idx >= pset->num_permitted_user) {
4517	debug_f("index out of range: %d num_permitted_user %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4518 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user)
4518	idx, pset->num_permitted_user)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4518 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user);
4519	return;
4520	}
4521	debug("%s allowed port %d for forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect)
4522	newport > 0 ? "Updating" : "Removing",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect)
4523	newport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect)
4524	pset->permitted_user[idx].host_to_connect,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect)
4525	pset->permitted_user[idx].port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect);
4526	if (newport <= 0)
4527	fwd_perm_clear(&pset->permitted_user[idx]);
4528	else {
4529	pset->permitted_user[idx].listen_port =
4530	(ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000) ? 0 : newport;
4531	}
4532	}
4533
4534	/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4535	int
4536	permitopen_port(const char *p)
4537	{
4538	int port;
4539
4540	if (strcmp(p, "*") == 0)
4541	return FWD_PERMIT_ANY_PORT0;
4542	if ((port = a2port(p)) > 0)
4543	return port;
4544	return -1;
4545	}
4546
4547	/* Try to start non-blocking connect to next host in cctx list */
4548	static int
4549	connect_next(struct channel_connect *cctx)
4550	{
4551	int sock, saved_errno;
4552	struct sockaddr_un *sunaddr;
4553	char ntop[NI_MAXHOST256];
4554	char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))(((32) > (sizeof(sunaddr->sun_path))) ? (32) : (sizeof( sunaddr->sun_path)))];
4555
4556	for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
4557	switch (cctx->ai->ai_family) {
4558	case AF_UNIX1:
4559	/* unix:pathname instead of host:port */
4560	sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4561	strlcpy(ntop, "unix", sizeof(ntop));
4562	strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4563	break;
4564	case AF_INET2:
4565	case AF_INET624:
4566	if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4567	ntop, sizeof(ntop), strport, sizeof(strport),
4568	NI_NUMERICHOST1\|NI_NUMERICSERV2) != 0) {
4569	error_f("getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4569 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getnameinfo failed");
4570	continue;
4571	}
4572	break;
4573	default:
4574	continue;
4575	}
4576	debug_f("start for host %.100s ([%.100s]:%s)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4577 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "start for host %.100s ([%.100s]:%s)" , cctx->host, ntop, strport)
4577	cctx->host, ntop, strport)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4577 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "start for host %.100s ([%.100s]:%s)" , cctx->host, ntop, strport);
4578	if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4579	cctx->ai->ai_protocol)) == -1) {
4580	if (cctx->ai->ai_next == NULL((void *)0))
4581	error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4581 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "socket: %.100s", strerror ((__errno())));
4582	else
4583	verbose("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4583 , 0, SYSLOG_LEVEL_VERBOSE, ((void )0), "socket: %.100s", strerror ((__errno())));
4584	continue;
4585	}
4586	if (set_nonblock(sock) == -1)
4587	fatal_f("set_nonblock(%d)", sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4587 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "set_nonblock(%d)", sock );
4588	if (connect(sock, cctx->ai->ai_addr,
4589	cctx->ai->ai_addrlen) == -1 && errno(*__errno()) != EINPROGRESS36) {
4590	debug_f("host %.100s ([%.100s]:%s): %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4591 , 1, SYSLOG_LEVEL_DEBUG1, ((void )0), "host %.100s ([%.100s]:%s): %.100s" , cctx->host, ntop, strport, strerror((__errno())))
4591	cctx->host, ntop, strport, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4591 , 1, SYSLOG_LEVEL_DEBUG1, ((void )0), "host %.100s ([%.100s]:%s): %.100s" , cctx->host, ntop, strport, strerror((__errno())));
4592	saved_errno = errno(*__errno());
4593	close(sock);
4594	errno(*__errno()) = saved_errno;
4595	continue; /* fail -- try next */
4596	}
4597	if (cctx->ai->ai_family != AF_UNIX1)
4598	set_nodelay(sock);
4599	debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4600 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect host %.100s ([%.100s]:%s) in progress, fd=%d" , cctx->host, ntop, strport, sock)
4600	cctx->host, ntop, strport, sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4600 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect host %.100s ([%.100s]:%s) in progress, fd=%d" , cctx->host, ntop, strport, sock);
4601	cctx->ai = cctx->ai->ai_next;
4602	return sock;
4603	}
4604	return -1;
4605	}
4606
4607	static void
4608	channel_connect_ctx_free(struct channel_connect *cctx)
4609	{
4610	free(cctx->host);
4611	if (cctx->aitop) {
4612	if (cctx->aitop->ai_family == AF_UNIX1)
4613	free(cctx->aitop);
4614	else
4615	freeaddrinfo(cctx->aitop);
4616	}
4617	memset(cctx, 0, sizeof(*cctx));
4618	}
4619
4620	/*
4621	* Return connecting socket to remote host:port or local socket path,
4622	* passing back the failure reason if appropriate.
4623	*/
4624	static int
4625	connect_to_helper(struct ssh ssh, const char name, int port, int socktype,
4626	char ctype, char rname, struct channel_connect *cctx,
4627	int reason, const char *errmsg)
4628	{
4629	struct addrinfo hints;
4630	int gaierr;
4631	int sock = -1;
4632	char strport[NI_MAXSERV32];
4633
4634	if (port == PORT_STREAMLOCAL-2) {
4635	struct sockaddr_un *sunaddr;
4636	struct addrinfo *ai;
4637
4638	if (strlen(name) > sizeof(sunaddr->sun_path)) {
4639	error("%.100s: %.100s", name, strerror(ENAMETOOLONG))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4639 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: %.100s", name, strerror(63));
4640	return -1;
4641	}
4642
4643	/*
4644	* Fake up a struct addrinfo for AF_UNIX connections.
4645	* channel_connect_ctx_free() must check ai_family
4646	* and use free() not freeaddirinfo() for AF_UNIX.
4647	*/
4648	ai = xmalloc(sizeof(ai) + sizeof(sunaddr));
4649	memset(ai, 0, sizeof(ai) + sizeof(sunaddr));
4650	ai->ai_addr = (struct sockaddr *)(ai + 1);
4651	ai->ai_addrlen = sizeof(*sunaddr);
4652	ai->ai_family = AF_UNIX1;
4653	ai->ai_socktype = socktype;
4654	ai->ai_protocol = PF_UNSPEC0;
4655	sunaddr = (struct sockaddr_un *)ai->ai_addr;
4656	sunaddr->sun_family = AF_UNIX1;
4657	strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
4658	cctx->aitop = ai;
4659	} else {
4660	memset(&hints, 0, sizeof(hints));
4661	hints.ai_family = ssh->chanctxt->IPv4or6;
4662	hints.ai_socktype = socktype;
4663	snprintf(strport, sizeof strport, "%d", port);
4664	if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
4665	!= 0) {
4666	if (errmsg != NULL((void *)0))
4667	*errmsg = ssh_gai_strerror(gaierr);
4668	if (reason != NULL((void *)0))
4669	*reason = SSH2_OPEN_CONNECT_FAILED2;
4670	error("connect_to %.100s: unknown host (%s)", name,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4671 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr))
4671	ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4671 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr));
4672	return -1;
4673	}
4674	}
4675
4676	cctx->host = xstrdup(name);
4677	cctx->port = port;
4678	cctx->ai = cctx->aitop;
4679
4680	if ((sock = connect_next(cctx)) == -1) {
4681	error("connect to %.100s port %d failed: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4682 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "connect to %.100s port %d failed: %s" , name, port, strerror((__errno())))
4682	name, port, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4682 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "connect to %.100s port %d failed: %s" , name, port, strerror((__errno())));
4683	return -1;
4684	}
4685
4686	return sock;
4687	}
4688
4689	/* Return CONNECTING channel to remote host:port or local socket path */
4690	static Channel *
4691	connect_to(struct ssh ssh, const char host, int port,
4692	char ctype, char rname)
4693	{
4694	struct channel_connect cctx;
4695	Channel *c;
4696	int sock;
4697
4698	memset(&cctx, 0, sizeof(cctx));
4699	sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname,
4700	&cctx, NULL((void )0), NULL((void )0));
4701	if (sock == -1) {
4702	channel_connect_ctx_free(&cctx);
4703	return NULL((void *)0);
4704	}
4705	c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1,
4706	CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1);
4707	c->host_port = port;
4708	c->path = xstrdup(host);
4709	c->connect_ctx = cctx;
4710
4711	return c;
4712	}
4713
4714	/*
4715	* returns either the newly connected channel or the downstream channel
4716	* that needs to deal with this connection.
4717	*/
4718	Channel *
4719	channel_connect_by_listen_address(struct ssh ssh, const char listen_host,
4720	u_short listen_port, char ctype, char rname)
4721	{
4722	struct ssh_channels *sc = ssh->chanctxt;
4723	struct permission_set *pset = &sc->local_perms;
4724	u_int i;
4725	struct permission *perm;
4726
4727	for (i = 0; i < pset->num_permitted_user; i++) {
4728	perm = &pset->permitted_user[i];
4729	if (open_listen_match_tcpip(perm,
4730	listen_host, listen_port, 1)) {
4731	if (perm->downstream)
4732	return perm->downstream;
4733	if (perm->port_to_connect == 0)
4734	return rdynamic_connect_prepare(ssh,
4735	ctype, rname);
4736	return connect_to(ssh,
4737	perm->host_to_connect, perm->port_to_connect,
4738	ctype, rname);
4739	}
4740	}
4741	error("WARNING: Server requests forwarding for unknown listen_port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4742 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port)
4742	listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4742 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port);
4743	return NULL((void *)0);
4744	}
4745
4746	Channel *
4747	channel_connect_by_listen_path(struct ssh ssh, const char path,
4748	char ctype, char rname)
4749	{
4750	struct ssh_channels *sc = ssh->chanctxt;
4751	struct permission_set *pset = &sc->local_perms;
4752	u_int i;
4753	struct permission *perm;
4754
4755	for (i = 0; i < pset->num_permitted_user; i++) {
4756	perm = &pset->permitted_user[i];
4757	if (open_listen_match_streamlocal(perm, path)) {
4758	return connect_to(ssh,
4759	perm->host_to_connect, perm->port_to_connect,
4760	ctype, rname);
4761	}
4762	}
4763	error("WARNING: Server requests forwarding for unknown path %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4764 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path)
4764	path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4764 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path);
4765	return NULL((void *)0);
4766	}
4767
4768	/* Check if connecting to that port is permitted and connect. */
4769	Channel *
4770	channel_connect_to_port(struct ssh ssh, const char host, u_short port,
4771	char ctype, char rname, int reason, const char *errmsg)
4772	{
4773	struct ssh_channels *sc = ssh->chanctxt;
4774	struct permission_set *pset = &sc->local_perms;
4775	struct channel_connect cctx;
4776	Channel *c;
4777	u_int i, permit, permit_adm = 1;
4778	int sock;
4779	struct permission *perm;
4780
4781	permit = pset->all_permitted;
4782	if (!permit) {
4783	for (i = 0; i < pset->num_permitted_user; i++) {
4784	perm = &pset->permitted_user[i];
4785	if (open_match(perm, host, port)) {
4786	permit = 1;
4787	break;
4788	}
4789	}
4790	}
4791
4792	if (pset->num_permitted_admin > 0) {
4793	permit_adm = 0;
4794	for (i = 0; i < pset->num_permitted_admin; i++) {
4795	perm = &pset->permitted_admin[i];
4796	if (open_match(perm, host, port)) {
4797	permit_adm = 1;
4798	break;
4799	}
4800	}
4801	}
4802
4803	if (!permit \|\| !permit_adm) {
4804	logit("Received request from %.100s port %d to connect to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port)
4805	"host %.100s port %d, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port)
4806	ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port);
4807	if (reason != NULL((void *)0))
4808	*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1;
4809	return NULL((void *)0);
4810	}
4811
4812	memset(&cctx, 0, sizeof(cctx));
4813	sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname,
4814	&cctx, reason, errmsg);
4815	if (sock == -1) {
4816	channel_connect_ctx_free(&cctx);
4817	return NULL((void *)0);
4818	}
4819
4820	c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1,
4821	CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1);
4822	c->host_port = port;
4823	c->path = xstrdup(host);
4824	c->connect_ctx = cctx;
4825
4826	return c;
4827	}
4828
4829	/* Check if connecting to that path is permitted and connect. */
4830	Channel *
4831	channel_connect_to_path(struct ssh ssh, const char path,
4832	char ctype, char rname)
4833	{
4834	struct ssh_channels *sc = ssh->chanctxt;
4835	struct permission_set *pset = &sc->local_perms;
4836	u_int i, permit, permit_adm = 1;
4837	struct permission *perm;
4838
4839	permit = pset->all_permitted;
4840	if (!permit) {
4841	for (i = 0; i < pset->num_permitted_user; i++) {
4842	perm = &pset->permitted_user[i];
4843	if (open_match(perm, path, PORT_STREAMLOCAL-2)) {
4844	permit = 1;
4845	break;
4846	}
4847	}
4848	}
4849
4850	if (pset->num_permitted_admin > 0) {
4851	permit_adm = 0;
4852	for (i = 0; i < pset->num_permitted_admin; i++) {
4853	perm = &pset->permitted_admin[i];
4854	if (open_match(perm, path, PORT_STREAMLOCAL-2)) {
4855	permit_adm = 1;
4856	break;
4857	}
4858	}
4859	}
4860
4861	if (!permit \|\| !permit_adm) {
4862	logit("Received request to connect to path %.100s, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4863 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path)
4863	"but the request was denied.", path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4863 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path);
4864	return NULL((void *)0);
4865	}
4866	return connect_to(ssh, path, PORT_STREAMLOCAL-2, ctype, rname);
4867	}
4868
4869	void
4870	channel_send_window_changes(struct ssh *ssh)
4871	{
4872	struct ssh_channels *sc = ssh->chanctxt;
4873	struct winsize ws;
4874	int r;
4875	u_int i;
4876
4877	for (i = 0; i < sc->channels_alloc; i++) {
4878	if (sc->channels[i] == NULL((void *)0) \|\| !sc->channels[i]->client_tty \|\|
4879	sc->channels[i]->type != SSH_CHANNEL_OPEN4)
4880	continue;
4881	if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ((unsigned long)0x40000000 \| ((sizeof(struct winsize) & 0x1fff ) << 16) \| ((('t')) << 8) \| ((104))), &ws) == -1)
4882	continue;
4883	channel_request_start(ssh, i, "window-change", 0);
4884	if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 \|\|
4885	(r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 \|\|
4886	(r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 \|\|
4887	(r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 \|\|
4888	(r = sshpkt_send(ssh)) != 0)
4889	fatal_fr(r, "channel %u; send window-change", i)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4889 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %u; send window-change" , i);
4890	}
4891	}
4892
4893	/* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4894	static Channel *
4895	rdynamic_connect_prepare(struct ssh ssh, char ctype, char *rname)
4896	{
4897	Channel *c;
4898	int r;
4899
4900	c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN21, -1, -1, -1,
4901	CHAN_TCP_WINDOW_DEFAULT(64(321024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1);
4902	c->host_port = 0;
4903	c->path = NULL((void *)0);
4904
4905	/*
4906	* We need to open the channel before we have a FD,
4907	* so that we can get SOCKS header from peer.
4908	*/
4909	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 \|\|
4910	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
4911	(r = sshpkt_put_u32(ssh, c->self)) != 0 \|\|
4912	(r = sshpkt_put_u32(ssh, c->local_window)) != 0 \|\|
4913	(r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0)
4914	fatal_fr(r, "channel %i; confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4914 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i; confirm", c ->self);
4915	return c;
4916	}
4917
4918	/* Return CONNECTING socket to remote host:port or local socket path */
4919	static int
4920	rdynamic_connect_finish(struct ssh ssh, Channel c)
4921	{
4922	struct ssh_channels *sc = ssh->chanctxt;
4923	struct permission_set *pset = &sc->local_perms;
4924	struct permission *perm;
4925	struct channel_connect cctx;
4926	u_int i, permit_adm = 1;
4927	int sock;
4928
4929	if (pset->num_permitted_admin > 0) {
4930	permit_adm = 0;
4931	for (i = 0; i < pset->num_permitted_admin; i++) {
4932	perm = &pset->permitted_admin[i];
4933	if (open_match(perm, c->path, c->host_port)) {
4934	permit_adm = 1;
4935	break;
4936	}
4937	}
4938	}
4939	if (!permit_adm) {
4940	debug_f("requested forward not permitted")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4940 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not permitted" );
4941	return -1;
4942	}
4943
4944	memset(&cctx, 0, sizeof(cctx));
4945	sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM1, NULL((void *)0),
4946	NULL((void )0), &cctx, NULL((void )0), NULL((void *)0));
4947	if (sock == -1)
4948	channel_connect_ctx_free(&cctx);
4949	else {
4950	/* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4951	c->type = SSH_CHANNEL_RDYNAMIC_FINISH22;
4952	c->connect_ctx = cctx;
4953	channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4954	}
4955	return sock;
4956	}
4957
4958	/* -- X11 forwarding */
4959
4960	/*
4961	* Creates an internet domain socket for listening for X11 connections.
4962	* Returns 0 and a suitable display number for the DISPLAY variable
4963	* stored in display_numberp , or -1 if an error occurs.
4964	*/
4965	int
4966	x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4967	int x11_use_localhost, int single_connection,
4968	u_int display_numberp, int *chanids)
4969	{
4970	Channel nc = NULL((void )0);
4971	int display_number, sock;
4972	u_short port;
4973	struct addrinfo hints, ai, aitop;
4974	char strport[NI_MAXSERV32];
4975	int gaierr, n, num_socks = 0, socks[NUM_SOCKS10];
4976
4977	if (chanids == NULL((void *)0))
4978	return -1;
4979
4980	for (display_number = x11_display_offset;
4981	display_number < MAX_DISPLAYS1000;
4982	display_number++) {
4983	port = 6000 + display_number;
4984	memset(&hints, 0, sizeof(hints));
4985	hints.ai_family = ssh->chanctxt->IPv4or6;
4986	hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE1;
4987	hints.ai_socktype = SOCK_STREAM1;
4988	snprintf(strport, sizeof strport, "%d", port);
4989	if ((gaierr = getaddrinfo(NULL((void *)0), strport,
4990	&hints, &aitop)) != 0) {
4991	error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4991 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo: %.100s", ssh_gai_strerror (gaierr));
4992	return -1;
4993	}
4994	for (ai = aitop; ai; ai = ai->ai_next) {
4995	if (ai->ai_family != AF_INET2 &&
4996	ai->ai_family != AF_INET624)
4997	continue;
4998	sock = socket(ai->ai_family, ai->ai_socktype,
4999	ai->ai_protocol);
5000	if (sock == -1) {
5001	error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5001 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "socket: %.100s", strerror ((__errno())));
5002	freeaddrinfo(aitop);
5003	return -1;
5004	}
5005	set_reuseaddr(sock);
5006	if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
5007	debug2_f("bind port %d: %.100s", port,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5008 , 1, SYSLOG_LEVEL_DEBUG2, ((void )0), "bind port %d: %.100s" , port, strerror((__errno())))
5008	strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5008 , 1, SYSLOG_LEVEL_DEBUG2, ((void )0), "bind port %d: %.100s" , port, strerror((__errno())));
5009	close(sock);
5010	for (n = 0; n < num_socks; n++)
5011	close(socks[n]);
5012	num_socks = 0;
5013	break;
5014	}
5015	socks[num_socks++] = sock;
5016	if (num_socks == NUM_SOCKS10)
5017	break;
5018	}
5019	freeaddrinfo(aitop);
5020	if (num_socks > 0)
5021	break;
5022	}
5023	if (display_number >= MAX_DISPLAYS1000) {
5024	error("Failed to allocate internet-domain X11 display socket.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5024 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Failed to allocate internet-domain X11 display socket." );
5025	return -1;
5026	}
5027	/* Start listening for connections on the socket. */
5028	for (n = 0; n < num_socks; n++) {
5029	sock = socks[n];
5030	if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) {
5031	error("listen: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5031 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "listen: %.100s", strerror ((__errno())));
5032	close(sock);
5033	return -1;
5034	}
5035	}
5036
5037	/* Allocate a channel for each socket. */
5038	chanids = xcalloc(num_socks + 1, sizeof(*chanids));
5039	for (n = 0; n < num_socks; n++) {
5040	sock = socks[n];
5041	nc = channel_new(ssh, "x11-listener",
5042	SSH_CHANNEL_X11_LISTENER1, sock, sock, -1,
5043	CHAN_X11_WINDOW_DEFAULT(4(161024)), CHAN_X11_PACKET_DEFAULT(16*1024),
5044	0, "X11 inet listener", 1);
5045	nc->single_connection = single_connection;
5046	(*chanids)[n] = nc->self;
5047	}
5048	(*chanids)[n] = -1;
5049
5050	/* Return the display number for the DISPLAY environment variable. */
5051	*display_numberp = display_number;
5052	return 0;
5053	}
5054
5055	static int
5056	connect_local_xsocket(u_int dnr)
5057	{
5058	int sock;
5059	struct sockaddr_un addr;
5060
5061	sock = socket(AF_UNIX1, SOCK_STREAM1, 0);
5062	if (sock == -1)
5063	error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5063 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "socket: %.100s", strerror ((__errno())));
5064	memset(&addr, 0, sizeof(addr));
5065	addr.sun_family = AF_UNIX1;
5066	snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X"/tmp/.X11-unix/X%u", dnr);
5067	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
5068	return sock;
5069	close(sock);
5070	error("connect %.100s: %.100s", addr.sun_path, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5070 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "connect %.100s: %.100s" , addr.sun_path, strerror((__errno())));
5071	return -1;
5072	}
5073
5074	int
5075	x11_connect_display(struct ssh *ssh)
5076	{
5077	u_int display_number;
5078	const char *display;
5079	char buf[1024], *cp;
5080	struct addrinfo hints, ai, aitop;
5081	char strport[NI_MAXSERV32];
5082	int gaierr, sock = 0;
5083
5084	/* Try to open a socket for the local X server. */
5085	display = getenv("DISPLAY");
5086	if (!display) {
5087	error("DISPLAY not set.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5087 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "DISPLAY not set.");
5088	return -1;
5089	}
5090	/*
5091	* Now we decode the value of the DISPLAY variable and make a
5092	* connection to the real X server.
5093	*/
5094
5095	/*
5096	* Check if it is a unix domain socket. Unix domain displays are in
5097	* one of the following formats: unix:d[.s], :d[.s], ::d[.s]
5098	*/
5099	if (strncmp(display, "unix:", 5) == 0 \|\|
5100	display[0] == ':') {
5101	/* Connect to the unix domain socket. */
5102	if (sscanf(strrchr(display, ':') + 1, "%u",
5103	&display_number) != 1) {
5104	error("Could not parse display number from DISPLAY: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5105 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display)
5105	"%.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5105 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display);
5106	return -1;
5107	}
5108	/* Create a socket. */
5109	sock = connect_local_xsocket(display_number);
5110	if (sock < 0)
5111	return -1;
5112
5113	/* OK, we now have a connection to the display. */
5114	return sock;
5115	}
5116	/*
5117	* Connect to an inet socket. The DISPLAY value is supposedly
5118	* hostname:d[.s], where hostname may also be numeric IP address.
5119	*/
5120	strlcpy(buf, display, sizeof(buf));
5121	cp = strchr(buf, ':');
5122	if (!cp) {
5123	error("Could not find ':' in DISPLAY: %.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5123 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not find ':' in DISPLAY: %.100s" , display);
5124	return -1;
5125	}
5126	*cp = 0;
5127	/*
5128	* buf now contains the host name. But first we parse the
5129	* display number.
5130	*/
5131	if (sscanf(cp + 1, "%u", &display_number) != 1) {
5132	error("Could not parse display number from DISPLAY: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5133 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display)
5133	display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5133 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display);
5134	return -1;
5135	}
5136
5137	/* Look up the host address */
5138	memset(&hints, 0, sizeof(hints));
5139	hints.ai_family = ssh->chanctxt->IPv4or6;
5140	hints.ai_socktype = SOCK_STREAM1;
5141	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
5142	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
5143	error("%.100s: unknown host. (%s)", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5144 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr))
5144	ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5144 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr));
5145	return -1;
5146	}
5147	for (ai = aitop; ai; ai = ai->ai_next) {
5148	/* Create a socket. */
5149	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
5150	if (sock == -1) {
5151	debug2("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5151 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "socket: %.100s", strerror ((__errno())));
5152	continue;
5153	}
5154	/* Connect it to the display. */
5155	if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
5156	debug2("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5157 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((__errno())))
5157	6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5157 , 0, SYSLOG_LEVEL_DEBUG2, ((void )0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((__errno())));
5158	close(sock);
5159	continue;
5160	}
5161	/* Success */
5162	break;
5163	}
5164	freeaddrinfo(aitop);
5165	if (!ai) {
5166	error("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5167 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((__errno())))
5167	6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5167 , 0, SYSLOG_LEVEL_ERROR, ((void )0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((__errno())));
5168	return -1;
5169	}
5170	set_nodelay(sock);
5171	return sock;
5172	}
5173
5174	/*
5175	* Requests forwarding of X11 connections, generates fake authentication
5176	* data, and enables authentication spoofing.
5177	* This should be called in the client only.
5178	*/
5179	void
5180	x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
5181	const char disp, const char proto, const char *data, int want_reply)
5182	{
5183	struct ssh_channels *sc = ssh->chanctxt;
5184	u_int data_len = (u_int) strlen(data) / 2;
5185	u_int i, value;
5186	const char *cp;
5187	char *new_data;
5188	int r, screen_number;
5189
5190	if (sc->x11_saved_display == NULL((void *)0))
5191	sc->x11_saved_display = xstrdup(disp);
5192	else if (strcmp(disp, sc->x11_saved_display) != 0) {
5193	error("x11_request_forwarding_with_spoofing: different "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5194 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded")
5194	"$DISPLAY already forwarded")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5194 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded");
5195	return;
5196	}
5197
5198	cp = strchr(disp, ':');
5199	if (cp)
5200	cp = strchr(cp, '.');
5201	if (cp)
5202	screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL((void *)0));
5203	else
5204	screen_number = 0;
5205
5206	if (sc->x11_saved_proto == NULL((void *)0)) {
5207	/* Save protocol name. */
5208	sc->x11_saved_proto = xstrdup(proto);
5209
5210	/* Extract real authentication data. */
5211	sc->x11_saved_data = xmalloc(data_len);
5212	for (i = 0; i < data_len; i++) {
5213	if (sscanf(data + 2 * i, "%2x", &value) != 1) {
5214	fatal("x11_request_forwarding: bad "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5215 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data)
5215	"authentication data: %.100s", data)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5215 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data);
5216	}
5217	sc->x11_saved_data[i] = value;
5218	}
5219	sc->x11_saved_data_len = data_len;
5220
5221	/* Generate fake data of the same length. */
5222	sc->x11_fake_data = xmalloc(data_len);
5223	arc4random_buf(sc->x11_fake_data, data_len);
5224	sc->x11_fake_data_len = data_len;
5225	}
5226
5227	/* Convert the fake data into hex. */
5228	new_data = tohex(sc->x11_fake_data, data_len);
5229
5230	/* Send the request packet. */
5231	channel_request_start(ssh, client_session_id, "x11-req", want_reply);
5232	if ((r = sshpkt_put_u8(ssh, 0)) != 0 \|\| /* bool: single connection */
5233	(r = sshpkt_put_cstring(ssh, proto)) != 0 \|\|
5234	(r = sshpkt_put_cstring(ssh, new_data)) != 0 \|\|
5235	(r = sshpkt_put_u32(ssh, screen_number)) != 0 \|\|
5236	(r = sshpkt_send(ssh)) != 0 \|\|
5237	(r = ssh_packet_write_wait(ssh)) != 0)
5238	fatal_fr(r, "send x11-req")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5238 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send x11-req");
5239	free(new_data);
5240	}