File: | src/usr.bin/ssh/ssh/../channels.c |
Warning: | line 4277, column 21 Although the value stored to 'listen_port' is used in the enclosing expression, the value is never actually read from 'listen_port' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: channels.c,v 1.436 2024/01/09 22:19:00 djm Exp $ */ |
2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved |
6 | * This file contains functions for generic socket connection forwarding. |
7 | * There is also code for initiating connection forwarding for X11 connections, |
8 | * arbitrary tcp/ip connections, and the authentication agent connection. |
9 | * |
10 | * As far as I am concerned, the code I have written for this software |
11 | * can be used freely for any purpose. Any derived versions of this |
12 | * software must be clearly marked as such, and if the derived work is |
13 | * incompatible with the protocol description in the RFC file, it must be |
14 | * called by a name other than "ssh" or "Secure Shell". |
15 | * |
16 | * SSH2 support added by Markus Friedl. |
17 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
18 | * Copyright (c) 1999 Dug Song. All rights reserved. |
19 | * Copyright (c) 1999 Theo de Raadt. All rights reserved. |
20 | * |
21 | * Redistribution and use in source and binary forms, with or without |
22 | * modification, are permitted provided that the following conditions |
23 | * are met: |
24 | * 1. Redistributions of source code must retain the above copyright |
25 | * notice, this list of conditions and the following disclaimer. |
26 | * 2. Redistributions in binary form must reproduce the above copyright |
27 | * notice, this list of conditions and the following disclaimer in the |
28 | * documentation and/or other materials provided with the distribution. |
29 | * |
30 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
31 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
32 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
33 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
34 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
35 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
36 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
37 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
38 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
39 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
40 | */ |
41 | |
42 | #include <sys/types.h> |
43 | #include <sys/stat.h> |
44 | #include <sys/ioctl.h> |
45 | #include <sys/un.h> |
46 | #include <sys/socket.h> |
47 | #include <sys/time.h> |
48 | #include <sys/queue.h> |
49 | |
50 | #include <netinet/in.h> |
51 | #include <arpa/inet.h> |
52 | |
53 | #include <errno(*__errno()).h> |
54 | #include <fcntl.h> |
55 | #include <limits.h> |
56 | #include <netdb.h> |
57 | #include <poll.h> |
58 | #include <stdarg.h> |
59 | #include <stdint.h> |
60 | #include <stdio.h> |
61 | #include <stdlib.h> |
62 | #include <string.h> |
63 | #include <termios.h> |
64 | #include <unistd.h> |
65 | |
66 | #include "xmalloc.h" |
67 | #include "ssh.h" |
68 | #include "ssh2.h" |
69 | #include "ssherr.h" |
70 | #include "sshbuf.h" |
71 | #include "packet.h" |
72 | #include "log.h" |
73 | #include "misc.h" |
74 | #include "channels.h" |
75 | #include "compat.h" |
76 | #include "canohost.h" |
77 | #include "sshkey.h" |
78 | #include "authfd.h" |
79 | #include "pathnames.h" |
80 | #include "match.h" |
81 | |
82 | /* XXX remove once we're satisfied there's no lurking bugs */ |
83 | /* #define DEBUG_CHANNEL_POLL 1 */ |
84 | |
85 | /* -- agent forwarding */ |
86 | #define NUM_SOCKS10 10 |
87 | |
88 | /* -- tcp forwarding */ |
89 | /* special-case port number meaning allow any port */ |
90 | #define FWD_PERMIT_ANY_PORT0 0 |
91 | |
92 | /* special-case wildcard meaning allow any host */ |
93 | #define FWD_PERMIT_ANY_HOST"*" "*" |
94 | |
95 | /* -- X11 forwarding */ |
96 | /* Maximum number of fake X11 displays to try. */ |
97 | #define MAX_DISPLAYS1000 1000 |
98 | |
99 | /* Per-channel callback for pre/post IO actions */ |
100 | typedef void chan_fn(struct ssh *, Channel *c); |
101 | |
102 | /* |
103 | * Data structure for storing which hosts are permitted for forward requests. |
104 | * The local sides of any remote forwards are stored in this array to prevent |
105 | * a corrupt remote server from accessing arbitrary TCP/IP ports on our local |
106 | * network (which might be behind a firewall). |
107 | */ |
108 | /* XXX: streamlocal wants a path instead of host:port */ |
109 | /* Overload host_to_connect; we could just make this match Forward */ |
110 | /* XXX - can we use listen_host instead of listen_path? */ |
111 | struct permission { |
112 | char *host_to_connect; /* Connect to 'host'. */ |
113 | int port_to_connect; /* Connect to 'port'. */ |
114 | char *listen_host; /* Remote side should listen address. */ |
115 | char *listen_path; /* Remote side should listen path. */ |
116 | int listen_port; /* Remote side should listen port. */ |
117 | Channel *downstream; /* Downstream mux*/ |
118 | }; |
119 | |
120 | /* |
121 | * Stores the forwarding permission state for a single direction (local or |
122 | * remote). |
123 | */ |
124 | struct permission_set { |
125 | /* |
126 | * List of all local permitted host/port pairs to allow for the |
127 | * user. |
128 | */ |
129 | u_int num_permitted_user; |
130 | struct permission *permitted_user; |
131 | |
132 | /* |
133 | * List of all permitted host/port pairs to allow for the admin. |
134 | */ |
135 | u_int num_permitted_admin; |
136 | struct permission *permitted_admin; |
137 | |
138 | /* |
139 | * If this is true, all opens/listens are permitted. This is the |
140 | * case on the server on which we have to trust the client anyway, |
141 | * and the user could do anything after logging in. |
142 | */ |
143 | int all_permitted; |
144 | }; |
145 | |
146 | /* Used to record timeouts per channel type */ |
147 | struct ssh_channel_timeout { |
148 | char *type_pattern; |
149 | int timeout_secs; |
150 | }; |
151 | |
152 | /* Master structure for channels state */ |
153 | struct ssh_channels { |
154 | /* |
155 | * Pointer to an array containing all allocated channels. The array |
156 | * is dynamically extended as needed. |
157 | */ |
158 | Channel **channels; |
159 | |
160 | /* |
161 | * Size of the channel array. All slots of the array must always be |
162 | * initialized (at least the type field); unused slots set to NULL |
163 | */ |
164 | u_int channels_alloc; |
165 | |
166 | /* |
167 | * 'channel_pre*' are called just before IO to add any bits |
168 | * relevant to channels in the c->io_want bitmasks. |
169 | * |
170 | * 'channel_post*': perform any appropriate operations for |
171 | * channels which have c->io_ready events pending. |
172 | */ |
173 | chan_fn **channel_pre; |
174 | chan_fn **channel_post; |
175 | |
176 | /* -- tcp forwarding */ |
177 | struct permission_set local_perms; |
178 | struct permission_set remote_perms; |
179 | |
180 | /* -- X11 forwarding */ |
181 | |
182 | /* Saved X11 local (client) display. */ |
183 | char *x11_saved_display; |
184 | |
185 | /* Saved X11 authentication protocol name. */ |
186 | char *x11_saved_proto; |
187 | |
188 | /* Saved X11 authentication data. This is the real data. */ |
189 | char *x11_saved_data; |
190 | u_int x11_saved_data_len; |
191 | |
192 | /* Deadline after which all X11 connections are refused */ |
193 | time_t x11_refuse_time; |
194 | |
195 | /* |
196 | * Fake X11 authentication data. This is what the server will be |
197 | * sending us; we should replace any occurrences of this by the |
198 | * real data. |
199 | */ |
200 | u_char *x11_fake_data; |
201 | u_int x11_fake_data_len; |
202 | |
203 | /* AF_UNSPEC or AF_INET or AF_INET6 */ |
204 | int IPv4or6; |
205 | |
206 | /* Channel timeouts by type */ |
207 | struct ssh_channel_timeout *timeouts; |
208 | size_t ntimeouts; |
209 | /* Global timeout for all OPEN channels */ |
210 | int global_deadline; |
211 | time_t lastused; |
212 | }; |
213 | |
214 | /* helper */ |
215 | static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype); |
216 | static const char *channel_rfwd_bind_host(const char *listen_host); |
217 | |
218 | /* non-blocking connect helpers */ |
219 | static int connect_next(struct channel_connect *); |
220 | static void channel_connect_ctx_free(struct channel_connect *); |
221 | static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); |
222 | static int rdynamic_connect_finish(struct ssh *, Channel *); |
223 | |
224 | /* Setup helper */ |
225 | static void channel_handler_init(struct ssh_channels *sc); |
226 | |
227 | /* -- channel core */ |
228 | |
229 | void |
230 | channel_init_channels(struct ssh *ssh) |
231 | { |
232 | struct ssh_channels *sc; |
233 | |
234 | if ((sc = calloc(1, sizeof(*sc))) == NULL((void *)0)) |
235 | fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 235 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed"); |
236 | sc->channels_alloc = 10; |
237 | sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); |
238 | sc->IPv4or6 = AF_UNSPEC0; |
239 | channel_handler_init(sc); |
240 | |
241 | ssh->chanctxt = sc; |
242 | } |
243 | |
244 | Channel * |
245 | channel_by_id(struct ssh *ssh, int id) |
246 | { |
247 | Channel *c; |
248 | |
249 | if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) { |
250 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 250 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
251 | return NULL((void *)0); |
252 | } |
253 | c = ssh->chanctxt->channels[id]; |
254 | if (c == NULL((void *)0)) { |
255 | logit_f("%d: bad id: channel free", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 255 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id: channel free" , id); |
256 | return NULL((void *)0); |
257 | } |
258 | return c; |
259 | } |
260 | |
261 | Channel * |
262 | channel_by_remote_id(struct ssh *ssh, u_int remote_id) |
263 | { |
264 | Channel *c; |
265 | u_int i; |
266 | |
267 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
268 | c = ssh->chanctxt->channels[i]; |
269 | if (c != NULL((void *)0) && c->have_remote_id && c->remote_id == remote_id) |
270 | return c; |
271 | } |
272 | return NULL((void *)0); |
273 | } |
274 | |
275 | /* |
276 | * Returns the channel if it is allowed to receive protocol messages. |
277 | * Private channels, like listening sockets, may not receive messages. |
278 | */ |
279 | Channel * |
280 | channel_lookup(struct ssh *ssh, int id) |
281 | { |
282 | Channel *c; |
283 | |
284 | if ((c = channel_by_id(ssh, id)) == NULL((void *)0)) |
285 | return NULL((void *)0); |
286 | |
287 | switch (c->type) { |
288 | case SSH_CHANNEL_X11_OPEN7: |
289 | case SSH_CHANNEL_LARVAL10: |
290 | case SSH_CHANNEL_CONNECTING12: |
291 | case SSH_CHANNEL_DYNAMIC13: |
292 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
293 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
294 | case SSH_CHANNEL_OPENING3: |
295 | case SSH_CHANNEL_OPEN4: |
296 | case SSH_CHANNEL_ABANDONED17: |
297 | case SSH_CHANNEL_MUX_PROXY20: |
298 | return c; |
299 | } |
300 | logit("Non-public channel %d, type %d.", id, c->type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 300 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Non-public channel %d, type %d." , id, c->type); |
301 | return NULL((void *)0); |
302 | } |
303 | |
304 | /* |
305 | * Add a timeout for open channels whose c->ctype (or c->xctype if it is set) |
306 | * match type_pattern. |
307 | */ |
308 | void |
309 | channel_add_timeout(struct ssh *ssh, const char *type_pattern, |
310 | int timeout_secs) |
311 | { |
312 | struct ssh_channels *sc = ssh->chanctxt; |
313 | |
314 | if (strcmp(type_pattern, "global") == 0) { |
315 | debug2_f("global channel timeout %d seconds", timeout_secs)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 315 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "global channel timeout %d seconds" , timeout_secs); |
316 | sc->global_deadline = timeout_secs; |
317 | return; |
318 | } |
319 | debug2_f("channel type \"%s\" timeout %d seconds",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 320 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel type \"%s\" timeout %d seconds" , type_pattern, timeout_secs) |
320 | type_pattern, timeout_secs)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 320 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel type \"%s\" timeout %d seconds" , type_pattern, timeout_secs); |
321 | sc->timeouts = xrecallocarray(sc->timeouts, sc->ntimeouts, |
322 | sc->ntimeouts + 1, sizeof(*sc->timeouts)); |
323 | sc->timeouts[sc->ntimeouts].type_pattern = xstrdup(type_pattern); |
324 | sc->timeouts[sc->ntimeouts].timeout_secs = timeout_secs; |
325 | sc->ntimeouts++; |
326 | } |
327 | |
328 | /* Clears all previously-added channel timeouts */ |
329 | void |
330 | channel_clear_timeouts(struct ssh *ssh) |
331 | { |
332 | struct ssh_channels *sc = ssh->chanctxt; |
333 | size_t i; |
334 | |
335 | debug3_f("clearing")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 335 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "clearing"); |
336 | for (i = 0; i < sc->ntimeouts; i++) |
337 | free(sc->timeouts[i].type_pattern); |
338 | free(sc->timeouts); |
339 | sc->timeouts = NULL((void *)0); |
340 | sc->ntimeouts = 0; |
341 | } |
342 | |
343 | static int |
344 | lookup_timeout(struct ssh *ssh, const char *type) |
345 | { |
346 | struct ssh_channels *sc = ssh->chanctxt; |
347 | size_t i; |
348 | |
349 | for (i = 0; i < sc->ntimeouts; i++) { |
350 | if (match_pattern(type, sc->timeouts[i].type_pattern)) |
351 | return sc->timeouts[i].timeout_secs; |
352 | } |
353 | |
354 | return 0; |
355 | } |
356 | |
357 | /* |
358 | * Sets "extended type" of a channel; used by session layer to add additional |
359 | * information about channel types (e.g. shell, login, subsystem) that can then |
360 | * be used to select timeouts. |
361 | * Will reset c->inactive_deadline as a side-effect. |
362 | */ |
363 | void |
364 | channel_set_xtype(struct ssh *ssh, int id, const char *xctype) |
365 | { |
366 | Channel *c; |
367 | |
368 | if ((c = channel_by_id(ssh, id)) == NULL((void *)0)) |
369 | fatal_f("missing channel %d", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 369 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "missing channel %d", id ); |
370 | if (c->xctype != NULL((void *)0)) |
371 | free(c->xctype); |
372 | c->xctype = xstrdup(xctype); |
373 | /* Type has changed, so look up inactivity deadline again */ |
374 | c->inactive_deadline = lookup_timeout(ssh, c->xctype); |
375 | debug2_f("labeled channel %d as %s (inactive timeout %u)", id, xctype,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 376 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "labeled channel %d as %s (inactive timeout %u)" , id, xctype, c->inactive_deadline) |
376 | c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 376 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "labeled channel %d as %s (inactive timeout %u)" , id, xctype, c->inactive_deadline); |
377 | } |
378 | |
379 | /* |
380 | * update "last used" time on a channel. |
381 | * NB. nothing else should update lastused except to clear it. |
382 | */ |
383 | static void |
384 | channel_set_used_time(struct ssh *ssh, Channel *c) |
385 | { |
386 | ssh->chanctxt->lastused = monotime(); |
387 | if (c != NULL((void *)0)) |
388 | c->lastused = ssh->chanctxt->lastused; |
389 | } |
390 | |
391 | /* |
392 | * Get the time at which a channel is due to time out for inactivity. |
393 | * Returns 0 if the channel is not due to time out ever. |
394 | */ |
395 | static time_t |
396 | channel_get_expiry(struct ssh *ssh, Channel *c) |
397 | { |
398 | struct ssh_channels *sc = ssh->chanctxt; |
399 | time_t expiry = 0, channel_expiry; |
400 | |
401 | if (sc->lastused != 0 && sc->global_deadline != 0) |
402 | expiry = sc->lastused + sc->global_deadline; |
403 | if (c->lastused != 0 && c->inactive_deadline != 0) { |
404 | channel_expiry = c->lastused + c->inactive_deadline; |
405 | if (expiry == 0 || channel_expiry < expiry) |
406 | expiry = channel_expiry; |
407 | } |
408 | return expiry; |
409 | } |
410 | |
411 | /* |
412 | * Register filedescriptors for a channel, used when allocating a channel or |
413 | * when the channel consumer/producer is ready, e.g. shell exec'd |
414 | */ |
415 | static void |
416 | channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, |
417 | int extusage, int nonblock, int is_tty) |
418 | { |
419 | int val; |
420 | |
421 | if (rfd != -1) |
422 | (void)fcntl(rfd, F_SETFD2, FD_CLOEXEC1); |
423 | if (wfd != -1 && wfd != rfd) |
424 | (void)fcntl(wfd, F_SETFD2, FD_CLOEXEC1); |
425 | if (efd != -1 && efd != rfd && efd != wfd) |
426 | (void)fcntl(efd, F_SETFD2, FD_CLOEXEC1); |
427 | |
428 | c->rfd = rfd; |
429 | c->wfd = wfd; |
430 | c->sock = (rfd == wfd) ? rfd : -1; |
431 | c->efd = efd; |
432 | c->extended_usage = extusage; |
433 | |
434 | if ((c->isatty = is_tty) != 0) |
435 | debug2("channel %d: rfd %d isatty", c->self, c->rfd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 435 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rfd %d isatty" , c->self, c->rfd); |
436 | |
437 | /* enable nonblocking mode */ |
438 | c->restore_block = 0; |
439 | if (nonblock == CHANNEL_NONBLOCK_STDIO2) { |
440 | /* |
441 | * Special handling for stdio file descriptors: do not set |
442 | * non-blocking mode if they are TTYs. Otherwise prepare to |
443 | * restore their blocking state on exit to avoid interfering |
444 | * with other programs that follow. |
445 | */ |
446 | if (rfd != -1 && !isatty(rfd) && |
447 | (val = fcntl(rfd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) { |
448 | c->restore_flags[0] = val; |
449 | c->restore_block |= CHANNEL_RESTORE_RFD0x01; |
450 | set_nonblock(rfd); |
451 | } |
452 | if (wfd != -1 && !isatty(wfd) && |
453 | (val = fcntl(wfd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) { |
454 | c->restore_flags[1] = val; |
455 | c->restore_block |= CHANNEL_RESTORE_WFD0x02; |
456 | set_nonblock(wfd); |
457 | } |
458 | if (efd != -1 && !isatty(efd) && |
459 | (val = fcntl(efd, F_GETFL3)) != -1 && !(val & O_NONBLOCK0x0004)) { |
460 | c->restore_flags[2] = val; |
461 | c->restore_block |= CHANNEL_RESTORE_EFD0x04; |
462 | set_nonblock(efd); |
463 | } |
464 | } else if (nonblock) { |
465 | if (rfd != -1) |
466 | set_nonblock(rfd); |
467 | if (wfd != -1) |
468 | set_nonblock(wfd); |
469 | if (efd != -1) |
470 | set_nonblock(efd); |
471 | } |
472 | /* channel might be entering a larval state, so reset global timeout */ |
473 | channel_set_used_time(ssh, NULL((void *)0)); |
474 | } |
475 | |
476 | /* |
477 | * Allocate a new channel object and set its type and socket. |
478 | */ |
479 | Channel * |
480 | channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, |
481 | u_int window, u_int maxpack, int extusage, const char *remote_name, |
482 | int nonblock) |
483 | { |
484 | struct ssh_channels *sc = ssh->chanctxt; |
485 | u_int i, found; |
486 | Channel *c; |
487 | int r; |
488 | |
489 | /* Try to find a free slot where to put the new channel. */ |
490 | for (i = 0; i < sc->channels_alloc; i++) { |
491 | if (sc->channels[i] == NULL((void *)0)) { |
492 | /* Found a free slot. */ |
493 | found = i; |
494 | break; |
495 | } |
496 | } |
497 | if (i >= sc->channels_alloc) { |
498 | /* |
499 | * There are no free slots. Take last+1 slot and expand |
500 | * the array. |
501 | */ |
502 | found = sc->channels_alloc; |
503 | if (sc->channels_alloc > CHANNELS_MAX_CHANNELS(16*1024)) |
504 | fatal_f("internal error: channels_alloc %d too big",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 505 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc) |
505 | sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 505 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "internal error: channels_alloc %d too big" , sc->channels_alloc); |
506 | sc->channels = xrecallocarray(sc->channels, sc->channels_alloc, |
507 | sc->channels_alloc + 10, sizeof(*sc->channels)); |
508 | sc->channels_alloc += 10; |
509 | debug2("channel: expanding %d", sc->channels_alloc)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 509 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel: expanding %d" , sc->channels_alloc); |
510 | } |
511 | /* Initialize and return new channel. */ |
512 | c = sc->channels[found] = xcalloc(1, sizeof(Channel)); |
513 | if ((c->input = sshbuf_new()) == NULL((void *)0) || |
514 | (c->output = sshbuf_new()) == NULL((void *)0) || |
515 | (c->extended = sshbuf_new()) == NULL((void *)0)) |
516 | fatal_f("sshbuf_new failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 516 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new failed"); |
517 | if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX(16*1024*1024))) != 0) |
518 | fatal_fr(r, "sshbuf_set_max_size")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 518 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_set_max_size"); |
519 | c->ostate = CHAN_OUTPUT_OPEN0; |
520 | c->istate = CHAN_INPUT_OPEN0; |
521 | channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); |
522 | c->self = found; |
523 | c->type = type; |
524 | c->ctype = ctype; |
525 | c->local_window = window; |
526 | c->local_window_max = window; |
527 | c->local_maxpacket = maxpack; |
528 | c->remote_name = xstrdup(remote_name); |
529 | c->ctl_chan = -1; |
530 | c->delayed = 1; /* prevent call to channel_post handler */ |
531 | c->inactive_deadline = lookup_timeout(ssh, c->ctype); |
532 | TAILQ_INIT(&c->status_confirms)do { (&c->status_confirms)->tqh_first = ((void *)0) ; (&c->status_confirms)->tqh_last = &(&c-> status_confirms)->tqh_first; } while (0); |
533 | debug("channel %d: new %s [%s] (inactive timeout: %u)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: new %s [%s] (inactive timeout: %u)" , found, c->ctype, remote_name, c->inactive_deadline) |
534 | found, c->ctype, remote_name, c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: new %s [%s] (inactive timeout: %u)" , found, c->ctype, remote_name, c->inactive_deadline); |
535 | return c; |
536 | } |
537 | |
538 | int |
539 | channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) |
540 | { |
541 | int ret, fd = *fdp; |
542 | |
543 | if (fd == -1) |
544 | return 0; |
545 | |
546 | /* restore blocking */ |
547 | if (*fdp == c->rfd && |
548 | (c->restore_block & CHANNEL_RESTORE_RFD0x01) != 0) |
549 | (void)fcntl(*fdp, F_SETFL4, c->restore_flags[0]); |
550 | else if (*fdp == c->wfd && |
551 | (c->restore_block & CHANNEL_RESTORE_WFD0x02) != 0) |
552 | (void)fcntl(*fdp, F_SETFL4, c->restore_flags[1]); |
553 | else if (*fdp == c->efd && |
554 | (c->restore_block & CHANNEL_RESTORE_EFD0x04) != 0) |
555 | (void)fcntl(*fdp, F_SETFL4, c->restore_flags[2]); |
556 | |
557 | if (*fdp == c->rfd) { |
558 | c->io_want &= ~SSH_CHAN_IO_RFD0x01; |
559 | c->io_ready &= ~SSH_CHAN_IO_RFD0x01; |
560 | c->rfd = -1; |
561 | c->pfds[0] = -1; |
562 | } |
563 | if (*fdp == c->wfd) { |
564 | c->io_want &= ~SSH_CHAN_IO_WFD0x02; |
565 | c->io_ready &= ~SSH_CHAN_IO_WFD0x02; |
566 | c->wfd = -1; |
567 | c->pfds[1] = -1; |
568 | } |
569 | if (*fdp == c->efd) { |
570 | c->io_want &= ~SSH_CHAN_IO_EFD(0x04|0x08); |
571 | c->io_ready &= ~SSH_CHAN_IO_EFD(0x04|0x08); |
572 | c->efd = -1; |
573 | c->pfds[2] = -1; |
574 | } |
575 | if (*fdp == c->sock) { |
576 | c->io_want &= ~SSH_CHAN_IO_SOCK(0x10|0x20); |
577 | c->io_ready &= ~SSH_CHAN_IO_SOCK(0x10|0x20); |
578 | c->sock = -1; |
579 | c->pfds[3] = -1; |
580 | } |
581 | |
582 | ret = close(fd); |
583 | *fdp = -1; /* probably redundant */ |
584 | return ret; |
585 | } |
586 | |
587 | /* Close all channel fd/socket. */ |
588 | static void |
589 | channel_close_fds(struct ssh *ssh, Channel *c) |
590 | { |
591 | int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; |
592 | |
593 | channel_close_fd(ssh, c, &c->sock); |
594 | if (rfd != sock) |
595 | channel_close_fd(ssh, c, &c->rfd); |
596 | if (wfd != sock && wfd != rfd) |
597 | channel_close_fd(ssh, c, &c->wfd); |
598 | if (efd != sock && efd != rfd && efd != wfd) |
599 | channel_close_fd(ssh, c, &c->efd); |
600 | } |
601 | |
602 | static void |
603 | fwd_perm_clear(struct permission *perm) |
604 | { |
605 | free(perm->host_to_connect); |
606 | free(perm->listen_host); |
607 | free(perm->listen_path); |
608 | memset(perm, 0, sizeof(*perm)); |
609 | } |
610 | |
611 | /* Returns an printable name for the specified forwarding permission list */ |
612 | static const char * |
613 | fwd_ident(int who, int where) |
614 | { |
615 | if (who == FORWARD_ADM0x100) { |
616 | if (where == FORWARD_LOCAL(1<<1)) |
617 | return "admin local"; |
618 | else if (where == FORWARD_REMOTE(1)) |
619 | return "admin remote"; |
620 | } else if (who == FORWARD_USER0x101) { |
621 | if (where == FORWARD_LOCAL(1<<1)) |
622 | return "user local"; |
623 | else if (where == FORWARD_REMOTE(1)) |
624 | return "user remote"; |
625 | } |
626 | fatal("Unknown forward permission list %d/%d", who, where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 626 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "Unknown forward permission list %d/%d" , who, where); |
627 | } |
628 | |
629 | /* Returns the forwarding permission list for the specified direction */ |
630 | static struct permission_set * |
631 | permission_set_get(struct ssh *ssh, int where) |
632 | { |
633 | struct ssh_channels *sc = ssh->chanctxt; |
634 | |
635 | switch (where) { |
636 | case FORWARD_LOCAL(1<<1): |
637 | return &sc->local_perms; |
638 | break; |
639 | case FORWARD_REMOTE(1): |
640 | return &sc->remote_perms; |
641 | break; |
642 | default: |
643 | fatal_f("invalid forwarding direction %d", where)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 643 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding direction %d" , where); |
644 | } |
645 | } |
646 | |
647 | /* Returns pointers to the specified forwarding list and its element count */ |
648 | static void |
649 | permission_set_get_array(struct ssh *ssh, int who, int where, |
650 | struct permission ***permpp, u_int **npermpp) |
651 | { |
652 | struct permission_set *pset = permission_set_get(ssh, where); |
653 | |
654 | switch (who) { |
655 | case FORWARD_USER0x101: |
656 | *permpp = &pset->permitted_user; |
657 | *npermpp = &pset->num_permitted_user; |
658 | break; |
659 | case FORWARD_ADM0x100: |
660 | *permpp = &pset->permitted_admin; |
661 | *npermpp = &pset->num_permitted_admin; |
662 | break; |
663 | default: |
664 | fatal_f("invalid forwarding client %d", who)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "invalid forwarding client %d" , who); |
665 | } |
666 | } |
667 | |
668 | /* Adds an entry to the specified forwarding list */ |
669 | static int |
670 | permission_set_add(struct ssh *ssh, int who, int where, |
671 | const char *host_to_connect, int port_to_connect, |
672 | const char *listen_host, const char *listen_path, int listen_port, |
673 | Channel *downstream) |
674 | { |
675 | struct permission **permp; |
676 | u_int n, *npermp; |
677 | |
678 | permission_set_get_array(ssh, who, where, &permp, &npermp); |
679 | |
680 | if (*npermp >= INT_MAX0x7fffffff) |
681 | fatal_f("%s overflow", fwd_ident(who, where))sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 681 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%s overflow", fwd_ident (who, where)); |
682 | |
683 | *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp)); |
684 | n = (*npermp)++; |
685 | #define MAYBE_DUP(s) ((s == NULL((void *)0)) ? NULL((void *)0) : xstrdup(s)) |
686 | (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect); |
687 | (*permp)[n].port_to_connect = port_to_connect; |
688 | (*permp)[n].listen_host = MAYBE_DUP(listen_host); |
689 | (*permp)[n].listen_path = MAYBE_DUP(listen_path); |
690 | (*permp)[n].listen_port = listen_port; |
691 | (*permp)[n].downstream = downstream; |
692 | #undef MAYBE_DUP |
693 | return (int)n; |
694 | } |
695 | |
696 | static void |
697 | mux_remove_remote_forwardings(struct ssh *ssh, Channel *c) |
698 | { |
699 | struct ssh_channels *sc = ssh->chanctxt; |
700 | struct permission_set *pset = &sc->local_perms; |
701 | struct permission *perm; |
702 | int r; |
703 | u_int i; |
704 | |
705 | for (i = 0; i < pset->num_permitted_user; i++) { |
706 | perm = &pset->permitted_user[i]; |
707 | if (perm->downstream != c) |
708 | continue; |
709 | |
710 | /* cancel on the server, since mux client is gone */ |
711 | debug("channel %d: cleanup remote forward for %s:%u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 712 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port) |
712 | c->self, perm->listen_host, perm->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 712 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cleanup remote forward for %s:%u" , c->self, perm->listen_host, perm->listen_port); |
713 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
714 | (r = sshpkt_put_cstring(ssh, |
715 | "cancel-tcpip-forward")) != 0 || |
716 | (r = sshpkt_put_u8(ssh, 0)) != 0 || |
717 | (r = sshpkt_put_cstring(ssh, |
718 | channel_rfwd_bind_host(perm->listen_host))) != 0 || |
719 | (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 || |
720 | (r = sshpkt_send(ssh)) != 0) { |
721 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 721 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
722 | } |
723 | fwd_perm_clear(perm); /* unregister */ |
724 | } |
725 | } |
726 | |
727 | /* Free the channel and close its fd/socket. */ |
728 | void |
729 | channel_free(struct ssh *ssh, Channel *c) |
730 | { |
731 | struct ssh_channels *sc = ssh->chanctxt; |
732 | char *s; |
733 | u_int i, n; |
734 | Channel *other; |
735 | struct channel_confirm *cc; |
736 | |
737 | for (n = 0, i = 0; i < sc->channels_alloc; i++) { |
738 | if ((other = sc->channels[i]) == NULL((void *)0)) |
739 | continue; |
740 | n++; |
741 | /* detach from mux client and prepare for closing */ |
742 | if (c->type == SSH_CHANNEL_MUX_CLIENT16 && |
743 | other->type == SSH_CHANNEL_MUX_PROXY20 && |
744 | other->mux_ctx == c) { |
745 | other->mux_ctx = NULL((void *)0); |
746 | other->type = SSH_CHANNEL_OPEN4; |
747 | other->istate = CHAN_INPUT_CLOSED3; |
748 | other->ostate = CHAN_OUTPUT_CLOSED3; |
749 | } |
750 | } |
751 | debug("channel %d: free: %s, nchannels %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 752 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n ) |
752 | c->remote_name ? c->remote_name : "???", n)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 752 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: free: %s, nchannels %u" , c->self, c->remote_name ? c->remote_name : "???", n ); |
753 | |
754 | if (c->type == SSH_CHANNEL_MUX_CLIENT16) { |
755 | mux_remove_remote_forwardings(ssh, c); |
756 | free(c->mux_ctx); |
757 | c->mux_ctx = NULL((void *)0); |
758 | } else if (c->type == SSH_CHANNEL_MUX_LISTENER15) { |
759 | free(c->mux_ctx); |
760 | c->mux_ctx = NULL((void *)0); |
761 | } |
762 | |
763 | if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) { |
764 | s = channel_open_message(ssh); |
765 | debug3("channel %d: status: %s", c->self, s)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 765 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: status: %s" , c->self, s); |
766 | free(s); |
767 | } |
768 | |
769 | channel_close_fds(ssh, c); |
770 | sshbuf_free(c->input); |
771 | sshbuf_free(c->output); |
772 | sshbuf_free(c->extended); |
773 | c->input = c->output = c->extended = NULL((void *)0); |
774 | free(c->remote_name); |
775 | c->remote_name = NULL((void *)0); |
776 | free(c->path); |
777 | c->path = NULL((void *)0); |
778 | free(c->listening_addr); |
779 | c->listening_addr = NULL((void *)0); |
780 | free(c->xctype); |
781 | c->xctype = NULL((void *)0); |
782 | while ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) != NULL((void *)0)) { |
783 | if (cc->abandon_cb != NULL((void *)0)) |
784 | cc->abandon_cb(ssh, c, cc->ctx); |
785 | TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void *)0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; *(cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0); |
786 | freezero(cc, sizeof(*cc)); |
787 | } |
788 | if (c->filter_cleanup != NULL((void *)0) && c->filter_ctx != NULL((void *)0)) |
789 | c->filter_cleanup(ssh, c->self, c->filter_ctx); |
790 | sc->channels[c->self] = NULL((void *)0); |
791 | freezero(c, sizeof(*c)); |
792 | } |
793 | |
794 | void |
795 | channel_free_all(struct ssh *ssh) |
796 | { |
797 | u_int i; |
798 | struct ssh_channels *sc = ssh->chanctxt; |
799 | |
800 | for (i = 0; i < sc->channels_alloc; i++) |
801 | if (sc->channels[i] != NULL((void *)0)) |
802 | channel_free(ssh, sc->channels[i]); |
803 | |
804 | free(sc->channels); |
805 | sc->channels = NULL((void *)0); |
806 | sc->channels_alloc = 0; |
807 | |
808 | free(sc->x11_saved_display); |
809 | sc->x11_saved_display = NULL((void *)0); |
810 | |
811 | free(sc->x11_saved_proto); |
812 | sc->x11_saved_proto = NULL((void *)0); |
813 | |
814 | free(sc->x11_saved_data); |
815 | sc->x11_saved_data = NULL((void *)0); |
816 | sc->x11_saved_data_len = 0; |
817 | |
818 | free(sc->x11_fake_data); |
819 | sc->x11_fake_data = NULL((void *)0); |
820 | sc->x11_fake_data_len = 0; |
821 | } |
822 | |
823 | /* |
824 | * Closes the sockets/fds of all channels. This is used to close extra file |
825 | * descriptors after a fork. |
826 | */ |
827 | void |
828 | channel_close_all(struct ssh *ssh) |
829 | { |
830 | u_int i; |
831 | |
832 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) |
833 | if (ssh->chanctxt->channels[i] != NULL((void *)0)) |
834 | channel_close_fds(ssh, ssh->chanctxt->channels[i]); |
835 | } |
836 | |
837 | /* |
838 | * Stop listening to channels. |
839 | */ |
840 | void |
841 | channel_stop_listening(struct ssh *ssh) |
842 | { |
843 | u_int i; |
844 | Channel *c; |
845 | |
846 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
847 | c = ssh->chanctxt->channels[i]; |
848 | if (c != NULL((void *)0)) { |
849 | switch (c->type) { |
850 | case SSH_CHANNEL_AUTH_SOCKET6: |
851 | case SSH_CHANNEL_PORT_LISTENER2: |
852 | case SSH_CHANNEL_RPORT_LISTENER11: |
853 | case SSH_CHANNEL_X11_LISTENER1: |
854 | case SSH_CHANNEL_UNIX_LISTENER18: |
855 | case SSH_CHANNEL_RUNIX_LISTENER19: |
856 | channel_close_fd(ssh, c, &c->sock); |
857 | channel_free(ssh, c); |
858 | break; |
859 | } |
860 | } |
861 | } |
862 | } |
863 | |
864 | /* |
865 | * Returns true if no channel has too much buffered data, and false if one or |
866 | * more channel is overfull. |
867 | */ |
868 | int |
869 | channel_not_very_much_buffered_data(struct ssh *ssh) |
870 | { |
871 | u_int i; |
872 | u_int maxsize = ssh_packet_get_maxsize(ssh); |
873 | Channel *c; |
874 | |
875 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
876 | c = ssh->chanctxt->channels[i]; |
877 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_OPEN4) |
878 | continue; |
879 | if (sshbuf_len(c->output) > maxsize) { |
880 | debug2("channel %d: big output buffer %zu > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 881 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize) |
881 | c->self, sshbuf_len(c->output), maxsize)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 881 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: big output buffer %zu > %u" , c->self, sshbuf_len(c->output), maxsize); |
882 | return 0; |
883 | } |
884 | } |
885 | return 1; |
886 | } |
887 | |
888 | /* Returns true if any channel is still open. */ |
889 | int |
890 | channel_still_open(struct ssh *ssh) |
891 | { |
892 | u_int i; |
893 | Channel *c; |
894 | |
895 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
896 | c = ssh->chanctxt->channels[i]; |
897 | if (c == NULL((void *)0)) |
898 | continue; |
899 | switch (c->type) { |
900 | case SSH_CHANNEL_X11_LISTENER1: |
901 | case SSH_CHANNEL_PORT_LISTENER2: |
902 | case SSH_CHANNEL_RPORT_LISTENER11: |
903 | case SSH_CHANNEL_MUX_LISTENER15: |
904 | case SSH_CHANNEL_CLOSED5: |
905 | case SSH_CHANNEL_AUTH_SOCKET6: |
906 | case SSH_CHANNEL_DYNAMIC13: |
907 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
908 | case SSH_CHANNEL_CONNECTING12: |
909 | case SSH_CHANNEL_ZOMBIE14: |
910 | case SSH_CHANNEL_ABANDONED17: |
911 | case SSH_CHANNEL_UNIX_LISTENER18: |
912 | case SSH_CHANNEL_RUNIX_LISTENER19: |
913 | continue; |
914 | case SSH_CHANNEL_LARVAL10: |
915 | continue; |
916 | case SSH_CHANNEL_OPENING3: |
917 | case SSH_CHANNEL_OPEN4: |
918 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
919 | case SSH_CHANNEL_X11_OPEN7: |
920 | case SSH_CHANNEL_MUX_CLIENT16: |
921 | case SSH_CHANNEL_MUX_PROXY20: |
922 | return 1; |
923 | default: |
924 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 924 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
925 | /* NOTREACHED */ |
926 | } |
927 | } |
928 | return 0; |
929 | } |
930 | |
931 | /* Returns true if a channel with a TTY is open. */ |
932 | int |
933 | channel_tty_open(struct ssh *ssh) |
934 | { |
935 | u_int i; |
936 | Channel *c; |
937 | |
938 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
939 | c = ssh->chanctxt->channels[i]; |
940 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_OPEN4) |
941 | continue; |
942 | if (c->client_tty) |
943 | return 1; |
944 | } |
945 | return 0; |
946 | } |
947 | |
948 | /* Returns the id of an open channel suitable for keepaliving */ |
949 | int |
950 | channel_find_open(struct ssh *ssh) |
951 | { |
952 | u_int i; |
953 | Channel *c; |
954 | |
955 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
956 | c = ssh->chanctxt->channels[i]; |
957 | if (c == NULL((void *)0) || !c->have_remote_id) |
958 | continue; |
959 | switch (c->type) { |
960 | case SSH_CHANNEL_CLOSED5: |
961 | case SSH_CHANNEL_DYNAMIC13: |
962 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
963 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
964 | case SSH_CHANNEL_X11_LISTENER1: |
965 | case SSH_CHANNEL_PORT_LISTENER2: |
966 | case SSH_CHANNEL_RPORT_LISTENER11: |
967 | case SSH_CHANNEL_MUX_LISTENER15: |
968 | case SSH_CHANNEL_MUX_CLIENT16: |
969 | case SSH_CHANNEL_MUX_PROXY20: |
970 | case SSH_CHANNEL_OPENING3: |
971 | case SSH_CHANNEL_CONNECTING12: |
972 | case SSH_CHANNEL_ZOMBIE14: |
973 | case SSH_CHANNEL_ABANDONED17: |
974 | case SSH_CHANNEL_UNIX_LISTENER18: |
975 | case SSH_CHANNEL_RUNIX_LISTENER19: |
976 | continue; |
977 | case SSH_CHANNEL_LARVAL10: |
978 | case SSH_CHANNEL_AUTH_SOCKET6: |
979 | case SSH_CHANNEL_OPEN4: |
980 | case SSH_CHANNEL_X11_OPEN7: |
981 | return i; |
982 | default: |
983 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 983 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
984 | /* NOTREACHED */ |
985 | } |
986 | } |
987 | return -1; |
988 | } |
989 | |
990 | /* Returns the state of the channel's extended usage flag */ |
991 | const char * |
992 | channel_format_extended_usage(const Channel *c) |
993 | { |
994 | if (c->efd == -1) |
995 | return "closed"; |
996 | |
997 | switch (c->extended_usage) { |
998 | case CHAN_EXTENDED_WRITE2: |
999 | return "write"; |
1000 | case CHAN_EXTENDED_READ1: |
1001 | return "read"; |
1002 | case CHAN_EXTENDED_IGNORE0: |
1003 | return "ignore"; |
1004 | default: |
1005 | return "UNKNOWN"; |
1006 | } |
1007 | } |
1008 | |
1009 | static char * |
1010 | channel_format_status(const Channel *c) |
1011 | { |
1012 | char *ret = NULL((void *)0); |
1013 | |
1014 | xasprintf(&ret, "t%d [%s] %s%u i%u/%zu o%u/%zu e[%s]/%zu " |
1015 | "fd %d/%d/%d sock %d cc %d io 0x%02x/0x%02x", |
1016 | c->type, c->xctype != NULL((void *)0) ? c->xctype : c->ctype, |
1017 | c->have_remote_id ? "r" : "nr", c->remote_id, |
1018 | c->istate, sshbuf_len(c->input), |
1019 | c->ostate, sshbuf_len(c->output), |
1020 | channel_format_extended_usage(c), sshbuf_len(c->extended), |
1021 | c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, |
1022 | c->io_want, c->io_ready); |
1023 | return ret; |
1024 | } |
1025 | |
1026 | /* |
1027 | * Returns a message describing the currently open forwarded connections, |
1028 | * suitable for sending to the client. The message contains crlf pairs for |
1029 | * newlines. |
1030 | */ |
1031 | char * |
1032 | channel_open_message(struct ssh *ssh) |
1033 | { |
1034 | struct sshbuf *buf; |
1035 | Channel *c; |
1036 | u_int i; |
1037 | int r; |
1038 | char *cp, *ret; |
1039 | |
1040 | if ((buf = sshbuf_new()) == NULL((void *)0)) |
1041 | fatal_f("sshbuf_new")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1041 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_new"); |
1042 | if ((r = sshbuf_putf(buf, |
1043 | "The following connections are open:\r\n")) != 0) |
1044 | fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1044 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf"); |
1045 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
1046 | c = ssh->chanctxt->channels[i]; |
1047 | if (c == NULL((void *)0)) |
1048 | continue; |
1049 | switch (c->type) { |
1050 | case SSH_CHANNEL_X11_LISTENER1: |
1051 | case SSH_CHANNEL_PORT_LISTENER2: |
1052 | case SSH_CHANNEL_RPORT_LISTENER11: |
1053 | case SSH_CHANNEL_CLOSED5: |
1054 | case SSH_CHANNEL_AUTH_SOCKET6: |
1055 | case SSH_CHANNEL_ZOMBIE14: |
1056 | case SSH_CHANNEL_ABANDONED17: |
1057 | case SSH_CHANNEL_MUX_LISTENER15: |
1058 | case SSH_CHANNEL_UNIX_LISTENER18: |
1059 | case SSH_CHANNEL_RUNIX_LISTENER19: |
1060 | continue; |
1061 | case SSH_CHANNEL_LARVAL10: |
1062 | case SSH_CHANNEL_OPENING3: |
1063 | case SSH_CHANNEL_CONNECTING12: |
1064 | case SSH_CHANNEL_DYNAMIC13: |
1065 | case SSH_CHANNEL_RDYNAMIC_OPEN21: |
1066 | case SSH_CHANNEL_RDYNAMIC_FINISH22: |
1067 | case SSH_CHANNEL_OPEN4: |
1068 | case SSH_CHANNEL_X11_OPEN7: |
1069 | case SSH_CHANNEL_MUX_PROXY20: |
1070 | case SSH_CHANNEL_MUX_CLIENT16: |
1071 | cp = channel_format_status(c); |
1072 | if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n", |
1073 | c->self, c->remote_name, cp)) != 0) { |
1074 | free(cp); |
1075 | fatal_fr(r, "sshbuf_putf")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1075 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "sshbuf_putf"); |
1076 | } |
1077 | free(cp); |
1078 | continue; |
1079 | default: |
1080 | fatal_f("bad channel type %d", c->type)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1080 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "bad channel type %d", c ->type); |
1081 | /* NOTREACHED */ |
1082 | } |
1083 | } |
1084 | if ((ret = sshbuf_dup_string(buf)) == NULL((void *)0)) |
1085 | fatal_f("sshbuf_dup_string")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1085 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "sshbuf_dup_string"); |
1086 | sshbuf_free(buf); |
1087 | return ret; |
1088 | } |
1089 | |
1090 | static void |
1091 | open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) |
1092 | { |
1093 | int r; |
1094 | |
1095 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN90)) != 0 || |
1096 | (r = sshpkt_put_cstring(ssh, type)) != 0 || |
1097 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
1098 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
1099 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { |
1100 | fatal_r(r, "%s: channel %i: open", where, c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1100 , 0, SYSLOG_LEVEL_FATAL, ssh_err(r), "%s: channel %i: open", where , c->self); |
1101 | } |
1102 | } |
1103 | |
1104 | void |
1105 | channel_send_open(struct ssh *ssh, int id) |
1106 | { |
1107 | Channel *c = channel_lookup(ssh, id); |
1108 | int r; |
1109 | |
1110 | if (c == NULL((void *)0)) { |
1111 | logit("channel_send_open: %d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1111 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel_send_open: %d: bad id" , id); |
1112 | return; |
1113 | } |
1114 | debug2("channel %d: send open", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1114 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: send open" , id); |
1115 | open_preamble(ssh, __func__, c, c->ctype); |
1116 | if ((r = sshpkt_send(ssh)) != 0) |
1117 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1117 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
1118 | } |
1119 | |
1120 | void |
1121 | channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm) |
1122 | { |
1123 | Channel *c = channel_lookup(ssh, id); |
1124 | int r; |
1125 | |
1126 | if (c == NULL((void *)0)) { |
1127 | logit_f("%d: unknown channel id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1127 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown channel id" , id); |
1128 | return; |
1129 | } |
1130 | if (!c->have_remote_id) |
1131 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1131 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
1132 | |
1133 | debug2("channel %d: request %s confirm %d", id, service, wantconfirm)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1133 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: request %s confirm %d" , id, service, wantconfirm); |
1134 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST98)) != 0 || |
1135 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1136 | (r = sshpkt_put_cstring(ssh, service)) != 0 || |
1137 | (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) { |
1138 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1138 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
1139 | } |
1140 | } |
1141 | |
1142 | void |
1143 | channel_register_status_confirm(struct ssh *ssh, int id, |
1144 | channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx) |
1145 | { |
1146 | struct channel_confirm *cc; |
1147 | Channel *c; |
1148 | |
1149 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) |
1150 | fatal_f("%d: bad id", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1150 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "%d: bad id", id); |
1151 | |
1152 | cc = xcalloc(1, sizeof(*cc)); |
1153 | cc->cb = cb; |
1154 | cc->abandon_cb = abandon_cb; |
1155 | cc->ctx = ctx; |
1156 | TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry)do { (cc)->entry.tqe_next = ((void *)0); (cc)->entry.tqe_prev = (&c->status_confirms)->tqh_last; *(&c->status_confirms )->tqh_last = (cc); (&c->status_confirms)->tqh_last = &(cc)->entry.tqe_next; } while (0); |
1157 | } |
1158 | |
1159 | void |
1160 | channel_register_open_confirm(struct ssh *ssh, int id, |
1161 | channel_open_fn *fn, void *ctx) |
1162 | { |
1163 | Channel *c = channel_lookup(ssh, id); |
1164 | |
1165 | if (c == NULL((void *)0)) { |
1166 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1166 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1167 | return; |
1168 | } |
1169 | c->open_confirm = fn; |
1170 | c->open_confirm_ctx = ctx; |
1171 | } |
1172 | |
1173 | void |
1174 | channel_register_cleanup(struct ssh *ssh, int id, |
1175 | channel_callback_fn *fn, int do_close) |
1176 | { |
1177 | Channel *c = channel_by_id(ssh, id); |
1178 | |
1179 | if (c == NULL((void *)0)) { |
1180 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1180 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1181 | return; |
1182 | } |
1183 | c->detach_user = fn; |
1184 | c->detach_close = do_close; |
1185 | } |
1186 | |
1187 | void |
1188 | channel_cancel_cleanup(struct ssh *ssh, int id) |
1189 | { |
1190 | Channel *c = channel_by_id(ssh, id); |
1191 | |
1192 | if (c == NULL((void *)0)) { |
1193 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1193 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1194 | return; |
1195 | } |
1196 | c->detach_user = NULL((void *)0); |
1197 | c->detach_close = 0; |
1198 | } |
1199 | |
1200 | void |
1201 | channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn, |
1202 | channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) |
1203 | { |
1204 | Channel *c = channel_lookup(ssh, id); |
1205 | |
1206 | if (c == NULL((void *)0)) { |
1207 | logit_f("%d: bad id", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1207 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: bad id", id); |
1208 | return; |
1209 | } |
1210 | c->input_filter = ifn; |
1211 | c->output_filter = ofn; |
1212 | c->filter_ctx = ctx; |
1213 | c->filter_cleanup = cfn; |
1214 | } |
1215 | |
1216 | void |
1217 | channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd, |
1218 | int extusage, int nonblock, int is_tty, u_int window_max) |
1219 | { |
1220 | Channel *c = channel_lookup(ssh, id); |
1221 | int r; |
1222 | |
1223 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_LARVAL10) |
1224 | fatal("channel_activate for non-larval channel %d.", id)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1224 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel_activate for non-larval channel %d." , id); |
1225 | if (!c->have_remote_id) |
1226 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1226 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
1227 | |
1228 | channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty); |
1229 | c->type = SSH_CHANNEL_OPEN4; |
1230 | channel_set_used_time(ssh, c); |
1231 | c->local_window = c->local_window_max = window_max; |
1232 | |
1233 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 || |
1234 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1235 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
1236 | (r = sshpkt_send(ssh)) != 0) |
1237 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1237 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
1238 | } |
1239 | |
1240 | static void |
1241 | channel_pre_listener(struct ssh *ssh, Channel *c) |
1242 | { |
1243 | c->io_want = SSH_CHAN_IO_SOCK_R0x10; |
1244 | } |
1245 | |
1246 | static void |
1247 | channel_pre_connecting(struct ssh *ssh, Channel *c) |
1248 | { |
1249 | debug3("channel %d: waiting for connection", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1249 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: waiting for connection" , c->self); |
1250 | c->io_want = SSH_CHAN_IO_SOCK_W0x20; |
1251 | } |
1252 | |
1253 | static void |
1254 | channel_pre_open(struct ssh *ssh, Channel *c) |
1255 | { |
1256 | c->io_want = 0; |
1257 | if (c->istate == CHAN_INPUT_OPEN0 && |
1258 | c->remote_window > 0 && |
1259 | sshbuf_len(c->input) < c->remote_window && |
1260 | sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0) |
1261 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1262 | if (c->ostate == CHAN_OUTPUT_OPEN0 || |
1263 | c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1264 | if (sshbuf_len(c->output) > 0) { |
1265 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1266 | } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1267 | if (CHANNEL_EFD_OUTPUT_ACTIVE(c)(c->extended_usage == 2 && c->efd != -1 && (!(c->flags & (0x08|0x02)) || sshbuf_len(c->extended ) > 0))) |
1268 | debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
1269 | "obuf_empty delayed efd %d/(%zu)", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
1270 | c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1270 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "obuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)); |
1271 | else |
1272 | chan_obuf_empty(ssh, c); |
1273 | } |
1274 | } |
1275 | /** XXX check close conditions, too */ |
1276 | if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED3 && |
1277 | c->ostate == CHAN_OUTPUT_CLOSED3)) { |
1278 | if (c->extended_usage == CHAN_EXTENDED_WRITE2 && |
1279 | sshbuf_len(c->extended) > 0) |
1280 | c->io_want |= SSH_CHAN_IO_EFD_W0x08; |
1281 | else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT0x04) && |
1282 | (c->extended_usage == CHAN_EXTENDED_READ1 || |
1283 | c->extended_usage == CHAN_EXTENDED_IGNORE0) && |
1284 | sshbuf_len(c->extended) < c->remote_window) |
1285 | c->io_want |= SSH_CHAN_IO_EFD_R0x04; |
1286 | } |
1287 | /* XXX: What about efd? races? */ |
1288 | } |
1289 | |
1290 | /* |
1291 | * This is a special state for X11 authentication spoofing. An opened X11 |
1292 | * connection (when authentication spoofing is being done) remains in this |
1293 | * state until the first packet has been completely read. The authentication |
1294 | * data in that packet is then substituted by the real data if it matches the |
1295 | * fake data, and the channel is put into normal mode. |
1296 | * XXX All this happens at the client side. |
1297 | * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok |
1298 | */ |
1299 | static int |
1300 | x11_open_helper(struct ssh *ssh, struct sshbuf *b) |
1301 | { |
1302 | struct ssh_channels *sc = ssh->chanctxt; |
1303 | u_char *ucp; |
1304 | u_int proto_len, data_len; |
1305 | |
1306 | /* Is this being called after the refusal deadline? */ |
1307 | if (sc->x11_refuse_time != 0 && |
1308 | monotime() >= sc->x11_refuse_time) { |
1309 | verbose("Rejected X11 connection after ForwardX11Timeout "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1310 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired") |
1310 | "expired")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1310 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "Rejected X11 connection after ForwardX11Timeout " "expired"); |
1311 | return -1; |
1312 | } |
1313 | |
1314 | /* Check if the fixed size part of the packet is in buffer. */ |
1315 | if (sshbuf_len(b) < 12) |
1316 | return 0; |
1317 | |
1318 | /* Parse the lengths of variable-length fields. */ |
1319 | ucp = sshbuf_mutable_ptr(b); |
1320 | if (ucp[0] == 0x42) { /* Byte order MSB first. */ |
1321 | proto_len = 256 * ucp[6] + ucp[7]; |
1322 | data_len = 256 * ucp[8] + ucp[9]; |
1323 | } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ |
1324 | proto_len = ucp[6] + 256 * ucp[7]; |
1325 | data_len = ucp[8] + 256 * ucp[9]; |
1326 | } else { |
1327 | debug2("Initial X11 packet contains bad byte order byte: 0x%x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1328 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0]) |
1328 | ucp[0])sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1328 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "Initial X11 packet contains bad byte order byte: 0x%x" , ucp[0]); |
1329 | return -1; |
1330 | } |
1331 | |
1332 | /* Check if the whole packet is in buffer. */ |
1333 | if (sshbuf_len(b) < |
1334 | 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) |
1335 | return 0; |
1336 | |
1337 | /* Check if authentication protocol matches. */ |
1338 | if (proto_len != strlen(sc->x11_saved_proto) || |
1339 | memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) { |
1340 | debug2("X11 connection uses different authentication protocol.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 connection uses different authentication protocol." ); |
1341 | return -1; |
1342 | } |
1343 | /* Check if authentication data matches our fake data. */ |
1344 | if (data_len != sc->x11_fake_data_len || |
1345 | timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), |
1346 | sc->x11_fake_data, sc->x11_fake_data_len) != 0) { |
1347 | debug2("X11 auth data does not match fake data.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1347 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 auth data does not match fake data." ); |
1348 | return -1; |
1349 | } |
1350 | /* Check fake data length */ |
1351 | if (sc->x11_fake_data_len != sc->x11_saved_data_len) { |
1352 | error("X11 fake_data_len %d != saved_data_len %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1353 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len) |
1353 | sc->x11_fake_data_len, sc->x11_saved_data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1353 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "X11 fake_data_len %d != saved_data_len %d" , sc->x11_fake_data_len, sc->x11_saved_data_len); |
1354 | return -1; |
1355 | } |
1356 | /* |
1357 | * Received authentication protocol and data match |
1358 | * our fake data. Substitute the fake data with real |
1359 | * data. |
1360 | */ |
1361 | memcpy(ucp + 12 + ((proto_len + 3) & ~3), |
1362 | sc->x11_saved_data, sc->x11_saved_data_len); |
1363 | return 1; |
1364 | } |
1365 | |
1366 | void |
1367 | channel_force_close(struct ssh *ssh, Channel *c, int abandon) |
1368 | { |
1369 | debug3_f("channel %d: forcibly closing", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1369 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: forcibly closing" , c->self); |
1370 | if (c->istate == CHAN_INPUT_OPEN0) |
1371 | chan_read_failed(ssh, c); |
1372 | if (c->istate == CHAN_INPUT_WAIT_DRAIN1) { |
1373 | sshbuf_reset(c->input); |
1374 | chan_ibuf_empty(ssh, c); |
1375 | } |
1376 | if (c->ostate == CHAN_OUTPUT_OPEN0 || |
1377 | c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1378 | sshbuf_reset(c->output); |
1379 | chan_write_failed(ssh, c); |
1380 | } |
1381 | if (c->detach_user) |
1382 | c->detach_user(ssh, c->self, 1, NULL((void *)0)); |
1383 | if (c->efd != -1) |
1384 | channel_close_fd(ssh, c, &c->efd); |
1385 | if (abandon) |
1386 | c->type = SSH_CHANNEL_ABANDONED17; |
1387 | /* exempt from inactivity timeouts */ |
1388 | c->inactive_deadline = 0; |
1389 | c->lastused = 0; |
1390 | } |
1391 | |
1392 | static void |
1393 | channel_pre_x11_open(struct ssh *ssh, Channel *c) |
1394 | { |
1395 | int ret = x11_open_helper(ssh, c->output); |
1396 | |
1397 | /* c->force_drain = 1; */ |
1398 | |
1399 | if (ret == 1) { |
1400 | c->type = SSH_CHANNEL_OPEN4; |
1401 | channel_set_used_time(ssh, c); |
1402 | channel_pre_open(ssh, c); |
1403 | } else if (ret == -1) { |
1404 | logit("X11 connection rejected because of wrong "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1405 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "X11 connection rejected because of wrong " "authentication.") |
1405 | "authentication.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1405 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "X11 connection rejected because of wrong " "authentication."); |
1406 | debug2("X11 rejected %d i%d/o%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate) |
1407 | c->self, c->istate, c->ostate)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1407 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "X11 rejected %d i%d/o%d" , c->self, c->istate, c->ostate); |
1408 | channel_force_close(ssh, c, 0); |
1409 | } |
1410 | } |
1411 | |
1412 | static void |
1413 | channel_pre_mux_client(struct ssh *ssh, Channel *c) |
1414 | { |
1415 | c->io_want = 0; |
1416 | if (c->istate == CHAN_INPUT_OPEN0 && !c->mux_pause && |
1417 | sshbuf_check_reserve(c->input, CHAN_RBUF(16*1024)) == 0) |
1418 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1419 | if (c->istate == CHAN_INPUT_WAIT_DRAIN1) { |
1420 | /* clear buffer immediately (discard any partial packet) */ |
1421 | sshbuf_reset(c->input); |
1422 | chan_ibuf_empty(ssh, c); |
1423 | /* Start output drain. XXX just kill chan? */ |
1424 | chan_rcvd_oclose(ssh, c); |
1425 | } |
1426 | if (c->ostate == CHAN_OUTPUT_OPEN0 || |
1427 | c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) { |
1428 | if (sshbuf_len(c->output) > 0) |
1429 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1430 | else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN1) |
1431 | chan_obuf_empty(ssh, c); |
1432 | } |
1433 | } |
1434 | |
1435 | /* try to decode a socks4 header */ |
1436 | static int |
1437 | channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) |
1438 | { |
1439 | const u_char *p; |
1440 | char *host; |
1441 | u_int len, have, i, found, need; |
1442 | char username[256]; |
1443 | struct { |
1444 | u_int8_t version; |
1445 | u_int8_t command; |
1446 | u_int16_t dest_port; |
1447 | struct in_addr dest_addr; |
1448 | } s4_req, s4_rsp; |
1449 | int r; |
1450 | |
1451 | debug2("channel %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1451 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4" , c->self); |
1452 | |
1453 | have = sshbuf_len(input); |
1454 | len = sizeof(s4_req); |
1455 | if (have < len) |
1456 | return 0; |
1457 | p = sshbuf_ptr(input); |
1458 | |
1459 | need = 1; |
1460 | /* SOCKS4A uses an invalid IP address 0.0.0.x */ |
1461 | if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { |
1462 | debug2("channel %d: socks4a request", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1462 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks4a request" , c->self); |
1463 | /* ... and needs an extra string (the hostname) */ |
1464 | need = 2; |
1465 | } |
1466 | /* Check for terminating NUL on the string(s) */ |
1467 | for (found = 0, i = len; i < have; i++) { |
1468 | if (p[i] == '\0') { |
1469 | found++; |
1470 | if (found == need) |
1471 | break; |
1472 | } |
1473 | if (i > 1024) { |
1474 | /* the peer is probably sending garbage */ |
1475 | debug("channel %d: decode socks4: too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1476 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self) |
1476 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1476 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: decode socks4: too long" , c->self); |
1477 | return -1; |
1478 | } |
1479 | } |
1480 | if (found < need) |
1481 | return 0; |
1482 | if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || |
1483 | (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || |
1484 | (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || |
1485 | (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { |
1486 | debug_r(r, "channels %d: decode socks4", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1486 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channels %d: decode socks4" , c->self); |
1487 | return -1; |
1488 | } |
1489 | have = sshbuf_len(input); |
1490 | p = sshbuf_ptr(input); |
1491 | if (memchr(p, '\0', have) == NULL((void *)0)) { |
1492 | error("channel %d: decode socks4: unterminated user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1492 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4: unterminated user" , c->self); |
1493 | return -1; |
1494 | } |
1495 | len = strlen(p); |
1496 | debug2("channel %d: decode socks4: user %s/%d", c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1496 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4: user %s/%d" , c->self, p, len); |
1497 | len++; /* trailing '\0' */ |
1498 | strlcpy(username, p, sizeof(username)); |
1499 | if ((r = sshbuf_consume(input, len)) != 0) |
1500 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1500 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1501 | free(c->path); |
1502 | c->path = NULL((void *)0); |
1503 | if (need == 1) { /* SOCKS4: one string */ |
1504 | host = inet_ntoa(s4_req.dest_addr); |
1505 | c->path = xstrdup(host); |
1506 | } else { /* SOCKS4A: two strings */ |
1507 | have = sshbuf_len(input); |
1508 | p = sshbuf_ptr(input); |
1509 | if (memchr(p, '\0', have) == NULL((void *)0)) { |
1510 | error("channel %d: decode socks4a: host not nul "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1511 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self) |
1511 | "terminated", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1511 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: decode socks4a: host not nul " "terminated", c->self); |
1512 | return -1; |
1513 | } |
1514 | len = strlen(p); |
1515 | debug2("channel %d: decode socks4a: host %s/%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1516 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len) |
1516 | c->self, p, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1516 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks4a: host %s/%d" , c->self, p, len); |
1517 | len++; /* trailing '\0' */ |
1518 | if (len > NI_MAXHOST256) { |
1519 | error("channel %d: hostname \"%.100s\" too long",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1520 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p) |
1520 | c->self, p)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1520 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: hostname \"%.100s\" too long" , c->self, p); |
1521 | return -1; |
1522 | } |
1523 | c->path = xstrdup(p); |
1524 | if ((r = sshbuf_consume(input, len)) != 0) |
1525 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1525 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1526 | } |
1527 | c->host_port = ntohs(s4_req.dest_port)(__uint16_t)(__builtin_constant_p(s4_req.dest_port) ? (__uint16_t )(((__uint16_t)(s4_req.dest_port) & 0xffU) << 8 | ( (__uint16_t)(s4_req.dest_port) & 0xff00U) >> 8) : __swap16md (s4_req.dest_port)); |
1528 | |
1529 | debug2("channel %d: dynamic request: socks4 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1530 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command) |
1530 | c->self, c->path, c->host_port, s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1530 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks4 host %s port %u command %u" , c->self, c->path, c->host_port, s4_req.command); |
1531 | |
1532 | if (s4_req.command != 1) { |
1533 | debug("channel %d: cannot handle: %s cn %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command ) |
1534 | c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1534 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: cannot handle: %s cn %d" , c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command ); |
1535 | return -1; |
1536 | } |
1537 | s4_rsp.version = 0; /* vn: 0 for reply */ |
1538 | s4_rsp.command = 90; /* cd: req granted */ |
1539 | s4_rsp.dest_port = 0; /* ignored */ |
1540 | s4_rsp.dest_addr.s_addr = INADDR_ANY((u_int32_t)(0x00000000)); /* ignored */ |
1541 | if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) |
1542 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1542 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1543 | return 1; |
1544 | } |
1545 | |
1546 | /* try to decode a socks5 header */ |
1547 | #define SSH_SOCKS5_AUTHDONE0x1000 0x1000 |
1548 | #define SSH_SOCKS5_NOAUTH0x00 0x00 |
1549 | #define SSH_SOCKS5_IPV40x01 0x01 |
1550 | #define SSH_SOCKS5_DOMAIN0x03 0x03 |
1551 | #define SSH_SOCKS5_IPV60x04 0x04 |
1552 | #define SSH_SOCKS5_CONNECT0x01 0x01 |
1553 | #define SSH_SOCKS5_SUCCESS0x00 0x00 |
1554 | |
1555 | static int |
1556 | channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) |
1557 | { |
1558 | /* XXX use get/put_u8 instead of trusting struct padding */ |
1559 | struct { |
1560 | u_int8_t version; |
1561 | u_int8_t command; |
1562 | u_int8_t reserved; |
1563 | u_int8_t atyp; |
1564 | } s5_req, s5_rsp; |
1565 | u_int16_t dest_port; |
1566 | char dest_addr[255+1], ntop[INET6_ADDRSTRLEN46]; |
1567 | const u_char *p; |
1568 | u_int have, need, i, found, nmethods, addrlen, af; |
1569 | int r; |
1570 | |
1571 | debug2("channel %d: decode socks5", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1571 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: decode socks5" , c->self); |
1572 | p = sshbuf_ptr(input); |
1573 | if (p[0] != 0x05) |
1574 | return -1; |
1575 | have = sshbuf_len(input); |
1576 | if (!(c->flags & SSH_SOCKS5_AUTHDONE0x1000)) { |
1577 | /* format: ver | nmethods | methods */ |
1578 | if (have < 2) |
1579 | return 0; |
1580 | nmethods = p[1]; |
1581 | if (have < nmethods + 2) |
1582 | return 0; |
1583 | /* look for method: "NO AUTHENTICATION REQUIRED" */ |
1584 | for (found = 0, i = 2; i < nmethods + 2; i++) { |
1585 | if (p[i] == SSH_SOCKS5_NOAUTH0x00) { |
1586 | found = 1; |
1587 | break; |
1588 | } |
1589 | } |
1590 | if (!found) { |
1591 | debug("channel %d: method SSH_SOCKS5_NOAUTH not found",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1592 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self) |
1592 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1592 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: method SSH_SOCKS5_NOAUTH not found" , c->self); |
1593 | return -1; |
1594 | } |
1595 | if ((r = sshbuf_consume(input, nmethods + 2)) != 0) |
1596 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1596 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1597 | /* version, method */ |
1598 | if ((r = sshbuf_put_u8(output, 0x05)) != 0 || |
1599 | (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH0x00)) != 0) |
1600 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1600 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1601 | c->flags |= SSH_SOCKS5_AUTHDONE0x1000; |
1602 | debug2("channel %d: socks5 auth done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1602 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 auth done" , c->self); |
1603 | return 0; /* need more */ |
1604 | } |
1605 | debug2("channel %d: socks5 post auth", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1605 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: socks5 post auth" , c->self); |
1606 | if (have < sizeof(s5_req)+1) |
1607 | return 0; /* need more */ |
1608 | memcpy(&s5_req, p, sizeof(s5_req)); |
1609 | if (s5_req.version != 0x05 || |
1610 | s5_req.command != SSH_SOCKS5_CONNECT0x01 || |
1611 | s5_req.reserved != 0x00) { |
1612 | debug2("channel %d: only socks5 connect supported", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1612 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: only socks5 connect supported" , c->self); |
1613 | return -1; |
1614 | } |
1615 | switch (s5_req.atyp){ |
1616 | case SSH_SOCKS5_IPV40x01: |
1617 | addrlen = 4; |
1618 | af = AF_INET2; |
1619 | break; |
1620 | case SSH_SOCKS5_DOMAIN0x03: |
1621 | addrlen = p[sizeof(s5_req)]; |
1622 | af = -1; |
1623 | break; |
1624 | case SSH_SOCKS5_IPV60x04: |
1625 | addrlen = 16; |
1626 | af = AF_INET624; |
1627 | break; |
1628 | default: |
1629 | debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1629 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: bad socks5 atyp %d" , c->self, s5_req.atyp); |
1630 | return -1; |
1631 | } |
1632 | need = sizeof(s5_req) + addrlen + 2; |
1633 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) |
1634 | need++; |
1635 | if (have < need) |
1636 | return 0; |
1637 | if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) |
1638 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1638 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1639 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) { |
1640 | /* host string length */ |
1641 | if ((r = sshbuf_consume(input, 1)) != 0) |
1642 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1642 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1643 | } |
1644 | if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || |
1645 | (r = sshbuf_get(input, &dest_port, 2)) != 0) { |
1646 | debug_r(r, "channel %d: parse addr/port", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1646 , 0, SYSLOG_LEVEL_DEBUG1, ssh_err(r), "channel %d: parse addr/port" , c->self); |
1647 | return -1; |
1648 | } |
1649 | dest_addr[addrlen] = '\0'; |
1650 | free(c->path); |
1651 | c->path = NULL((void *)0); |
1652 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN0x03) { |
1653 | if (addrlen >= NI_MAXHOST256) { |
1654 | error("channel %d: dynamic request: socks5 hostname "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1655 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr) |
1655 | "\"%.100s\" too long", c->self, dest_addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1655 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "channel %d: dynamic request: socks5 hostname " "\"%.100s\" too long", c->self, dest_addr); |
1656 | return -1; |
1657 | } |
1658 | c->path = xstrdup(dest_addr); |
1659 | } else { |
1660 | if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL((void *)0)) |
1661 | return -1; |
1662 | c->path = xstrdup(ntop); |
1663 | } |
1664 | c->host_port = ntohs(dest_port)(__uint16_t)(__builtin_constant_p(dest_port) ? (__uint16_t)(( (__uint16_t)(dest_port) & 0xffU) << 8 | ((__uint16_t )(dest_port) & 0xff00U) >> 8) : __swap16md(dest_port )); |
1665 | |
1666 | debug2("channel %d: dynamic request: socks5 host %s port %u command %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1667 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command) |
1667 | c->self, c->path, c->host_port, s5_req.command)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1667 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: dynamic request: socks5 host %s port %u command %u" , c->self, c->path, c->host_port, s5_req.command); |
1668 | |
1669 | s5_rsp.version = 0x05; |
1670 | s5_rsp.command = SSH_SOCKS5_SUCCESS0x00; |
1671 | s5_rsp.reserved = 0; /* ignored */ |
1672 | s5_rsp.atyp = SSH_SOCKS5_IPV40x01; |
1673 | dest_port = 0; /* ignored */ |
1674 | |
1675 | if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || |
1676 | (r = sshbuf_put_u32(output, ntohl(INADDR_ANY)(__uint32_t)(__builtin_constant_p(((u_int32_t)(0x00000000))) ? (__uint32_t)(((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff ) << 24 | ((__uint32_t)(((u_int32_t)(0x00000000))) & 0xff00) << 8 | ((__uint32_t)(((u_int32_t)(0x00000000)) ) & 0xff0000) >> 8 | ((__uint32_t)(((u_int32_t)(0x00000000 ))) & 0xff000000) >> 24) : __swap32md(((u_int32_t)( 0x00000000)))))) != 0 || |
1677 | (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) |
1678 | fatal_fr(r, "channel %d: append reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1678 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: append reply" , c->self); |
1679 | return 1; |
1680 | } |
1681 | |
1682 | Channel * |
1683 | channel_connect_stdio_fwd(struct ssh *ssh, |
1684 | const char *host_to_connect, int port_to_connect, |
1685 | int in, int out, int nonblock) |
1686 | { |
1687 | Channel *c; |
1688 | |
1689 | debug_f("%s:%d", host_to_connect, port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1689 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s:%d", host_to_connect , port_to_connect); |
1690 | |
1691 | c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING3, in, out, |
1692 | -1, CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
1693 | 0, "stdio-forward", nonblock); |
1694 | |
1695 | c->path = xstrdup(host_to_connect); |
1696 | c->host_port = port_to_connect; |
1697 | c->listening_port = 0; |
1698 | c->force_drain = 1; |
1699 | |
1700 | channel_register_fds(ssh, c, in, out, -1, 0, 1, 0); |
1701 | port_open_helper(ssh, c, port_to_connect == PORT_STREAMLOCAL-2 ? |
1702 | "direct-streamlocal@openssh.com" : "direct-tcpip"); |
1703 | |
1704 | return c; |
1705 | } |
1706 | |
1707 | /* dynamic port forwarding */ |
1708 | static void |
1709 | channel_pre_dynamic(struct ssh *ssh, Channel *c) |
1710 | { |
1711 | const u_char *p; |
1712 | u_int have; |
1713 | int ret; |
1714 | |
1715 | c->io_want = 0; |
1716 | have = sshbuf_len(c->input); |
1717 | debug2("channel %d: pre_dynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1717 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: have %d" , c->self, have); |
1718 | /* sshbuf_dump(c->input, stderr); */ |
1719 | /* check if the fixed size part of the packet is in buffer. */ |
1720 | if (have < 3) { |
1721 | /* need more */ |
1722 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1723 | return; |
1724 | } |
1725 | /* try to guess the protocol */ |
1726 | p = sshbuf_ptr(c->input); |
1727 | /* XXX sshbuf_peek_u8? */ |
1728 | switch (p[0]) { |
1729 | case 0x04: |
1730 | ret = channel_decode_socks4(c, c->input, c->output); |
1731 | break; |
1732 | case 0x05: |
1733 | ret = channel_decode_socks5(c, c->input, c->output); |
1734 | break; |
1735 | default: |
1736 | ret = -1; |
1737 | break; |
1738 | } |
1739 | if (ret < 0) { |
1740 | chan_mark_dead(ssh, c); |
1741 | } else if (ret == 0) { |
1742 | debug2("channel %d: pre_dynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1742 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_dynamic: need more" , c->self); |
1743 | /* need more */ |
1744 | c->io_want |= SSH_CHAN_IO_RFD0x01; |
1745 | if (sshbuf_len(c->output)) |
1746 | c->io_want |= SSH_CHAN_IO_WFD0x02; |
1747 | } else { |
1748 | /* switch to the next state */ |
1749 | c->type = SSH_CHANNEL_OPENING3; |
1750 | port_open_helper(ssh, c, "direct-tcpip"); |
1751 | } |
1752 | } |
1753 | |
1754 | /* simulate read-error */ |
1755 | static void |
1756 | rdynamic_close(struct ssh *ssh, Channel *c) |
1757 | { |
1758 | c->type = SSH_CHANNEL_OPEN4; |
1759 | channel_force_close(ssh, c, 0); |
1760 | } |
1761 | |
1762 | /* reverse dynamic port forwarding */ |
1763 | static void |
1764 | channel_before_prepare_io_rdynamic(struct ssh *ssh, Channel *c) |
1765 | { |
1766 | const u_char *p; |
1767 | u_int have, len; |
1768 | int r, ret; |
1769 | |
1770 | have = sshbuf_len(c->output); |
1771 | debug2("channel %d: pre_rdynamic: have %d", c->self, have)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1771 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: have %d" , c->self, have); |
1772 | /* sshbuf_dump(c->output, stderr); */ |
1773 | /* EOF received */ |
1774 | if (c->flags & CHAN_EOF_RCVD0x08) { |
1775 | if ((r = sshbuf_consume(c->output, have)) != 0) |
1776 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1776 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1777 | rdynamic_close(ssh, c); |
1778 | return; |
1779 | } |
1780 | /* check if the fixed size part of the packet is in buffer. */ |
1781 | if (have < 3) |
1782 | return; |
1783 | /* try to guess the protocol */ |
1784 | p = sshbuf_ptr(c->output); |
1785 | switch (p[0]) { |
1786 | case 0x04: |
1787 | /* switch input/output for reverse forwarding */ |
1788 | ret = channel_decode_socks4(c, c->output, c->input); |
1789 | break; |
1790 | case 0x05: |
1791 | ret = channel_decode_socks5(c, c->output, c->input); |
1792 | break; |
1793 | default: |
1794 | ret = -1; |
1795 | break; |
1796 | } |
1797 | if (ret < 0) { |
1798 | rdynamic_close(ssh, c); |
1799 | } else if (ret == 0) { |
1800 | debug2("channel %d: pre_rdynamic: need more", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1800 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: pre_rdynamic: need more" , c->self); |
1801 | /* send socks request to peer */ |
1802 | len = sshbuf_len(c->input); |
1803 | if (len > 0 && len < c->remote_window) { |
1804 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
1805 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
1806 | (r = sshpkt_put_stringb(ssh, c->input)) != 0 || |
1807 | (r = sshpkt_send(ssh)) != 0) { |
1808 | fatal_fr(r, "channel %i: rdynamic", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1808 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: rdynamic", c ->self); |
1809 | } |
1810 | if ((r = sshbuf_consume(c->input, len)) != 0) |
1811 | fatal_fr(r, "channel %d: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1811 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %d: consume", c ->self); |
1812 | c->remote_window -= len; |
1813 | } |
1814 | } else if (rdynamic_connect_finish(ssh, c) < 0) { |
1815 | /* the connect failed */ |
1816 | rdynamic_close(ssh, c); |
1817 | } |
1818 | } |
1819 | |
1820 | /* This is our fake X11 server socket. */ |
1821 | static void |
1822 | channel_post_x11_listener(struct ssh *ssh, Channel *c) |
1823 | { |
1824 | Channel *nc; |
1825 | struct sockaddr_storage addr; |
1826 | int r, newsock, oerrno, remote_port; |
1827 | socklen_t addrlen; |
1828 | char buf[16384], *remote_ipaddr; |
1829 | |
1830 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
1831 | return; |
1832 | |
1833 | debug("X11 connection requested.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1833 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "X11 connection requested." ); |
1834 | addrlen = sizeof(addr); |
1835 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
1836 | if (c->single_connection) { |
1837 | oerrno = errno(*__errno()); |
1838 | debug2("single_connection: closing X11 listener.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1838 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "single_connection: closing X11 listener." ); |
1839 | channel_close_fd(ssh, c, &c->sock); |
1840 | chan_mark_dead(ssh, c); |
1841 | errno(*__errno()) = oerrno; |
1842 | } |
1843 | if (newsock == -1) { |
1844 | if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EWOULDBLOCK35 && |
1845 | errno(*__errno()) != ECONNABORTED53) |
1846 | error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1846 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %.100s", strerror ((*__errno()))); |
1847 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
1848 | c->notbefore = monotime() + 1; |
1849 | return; |
1850 | } |
1851 | set_nodelay(newsock); |
1852 | remote_ipaddr = get_peer_ipaddr(newsock); |
1853 | remote_port = get_peer_port(newsock); |
1854 | snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", |
1855 | remote_ipaddr, remote_port); |
1856 | |
1857 | nc = channel_new(ssh, "x11-connection", |
1858 | SSH_CHANNEL_OPENING3, newsock, newsock, -1, |
1859 | c->local_window_max, c->local_maxpacket, 0, buf, 1); |
1860 | open_preamble(ssh, __func__, nc, "x11"); |
1861 | if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || |
1862 | (r = sshpkt_put_u32(ssh, remote_port)) != 0) { |
1863 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1863 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1864 | } |
1865 | if ((r = sshpkt_send(ssh)) != 0) |
1866 | fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1866 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self); |
1867 | free(remote_ipaddr); |
1868 | } |
1869 | |
1870 | static void |
1871 | port_open_helper(struct ssh *ssh, Channel *c, char *rtype) |
1872 | { |
1873 | char *local_ipaddr = get_local_ipaddr(c->sock); |
1874 | int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); |
1875 | char *remote_ipaddr = get_peer_ipaddr(c->sock); |
1876 | int remote_port = get_peer_port(c->sock); |
1877 | int r; |
1878 | |
1879 | if (remote_port == -1) { |
1880 | /* Fake addr/port to appease peers that validate it (Tectia) */ |
1881 | free(remote_ipaddr); |
1882 | remote_ipaddr = xstrdup("127.0.0.1"); |
1883 | remote_port = 65535; |
1884 | } |
1885 | |
1886 | free(c->remote_name); |
1887 | xasprintf(&c->remote_name, |
1888 | "%s: listening port %d for %.100s port %d, " |
1889 | "connect from %.200s port %d to %.100s port %d", |
1890 | rtype, c->listening_port, c->path, c->host_port, |
1891 | remote_ipaddr, remote_port, local_ipaddr, local_port); |
1892 | |
1893 | open_preamble(ssh, __func__, c, rtype); |
1894 | if (strcmp(rtype, "direct-tcpip") == 0) { |
1895 | /* target host, port */ |
1896 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || |
1897 | (r = sshpkt_put_u32(ssh, c->host_port)) != 0) |
1898 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1898 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1899 | } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { |
1900 | /* target path */ |
1901 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) |
1902 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1902 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1903 | } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { |
1904 | /* listen path */ |
1905 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) |
1906 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1906 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1907 | } else { |
1908 | /* listen address, port */ |
1909 | if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || |
1910 | (r = sshpkt_put_u32(ssh, local_port)) != 0) |
1911 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1911 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1912 | } |
1913 | if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { |
1914 | /* reserved for future owner/mode info */ |
1915 | if ((r = sshpkt_put_cstring(ssh, "")) != 0) |
1916 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1916 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1917 | } else { |
1918 | /* originator host and port */ |
1919 | if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || |
1920 | (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) |
1921 | fatal_fr(r, "channel %i: reply", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1921 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: reply", c-> self); |
1922 | } |
1923 | if ((r = sshpkt_send(ssh)) != 0) |
1924 | fatal_fr(r, "channel %i: send", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1924 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send", c-> self); |
1925 | free(remote_ipaddr); |
1926 | free(local_ipaddr); |
1927 | } |
1928 | |
1929 | void |
1930 | channel_set_x11_refuse_time(struct ssh *ssh, time_t refuse_time) |
1931 | { |
1932 | ssh->chanctxt->x11_refuse_time = refuse_time; |
1933 | } |
1934 | |
1935 | /* |
1936 | * This socket is listening for connections to a forwarded TCP/IP port. |
1937 | */ |
1938 | static void |
1939 | channel_post_port_listener(struct ssh *ssh, Channel *c) |
1940 | { |
1941 | Channel *nc; |
1942 | struct sockaddr_storage addr; |
1943 | int newsock, nextstate; |
1944 | socklen_t addrlen; |
1945 | char *rtype; |
1946 | |
1947 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
1948 | return; |
1949 | |
1950 | debug("Connection to port %d forwarding to %.100s port %d requested.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1951 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port) |
1951 | c->listening_port, c->path, c->host_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1951 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Connection to port %d forwarding to %.100s port %d requested." , c->listening_port, c->path, c->host_port); |
1952 | |
1953 | if (c->type == SSH_CHANNEL_RPORT_LISTENER11) { |
1954 | nextstate = SSH_CHANNEL_OPENING3; |
1955 | rtype = "forwarded-tcpip"; |
1956 | } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER19) { |
1957 | nextstate = SSH_CHANNEL_OPENING3; |
1958 | rtype = "forwarded-streamlocal@openssh.com"; |
1959 | } else if (c->host_port == PORT_STREAMLOCAL-2) { |
1960 | nextstate = SSH_CHANNEL_OPENING3; |
1961 | rtype = "direct-streamlocal@openssh.com"; |
1962 | } else if (c->host_port == 0) { |
1963 | nextstate = SSH_CHANNEL_DYNAMIC13; |
1964 | rtype = "dynamic-tcpip"; |
1965 | } else { |
1966 | nextstate = SSH_CHANNEL_OPENING3; |
1967 | rtype = "direct-tcpip"; |
1968 | } |
1969 | |
1970 | addrlen = sizeof(addr); |
1971 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
1972 | if (newsock == -1) { |
1973 | if (errno(*__errno()) != EINTR4 && errno(*__errno()) != EWOULDBLOCK35 && |
1974 | errno(*__errno()) != ECONNABORTED53) |
1975 | error("accept: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 1975 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %.100s", strerror ((*__errno()))); |
1976 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
1977 | c->notbefore = monotime() + 1; |
1978 | return; |
1979 | } |
1980 | if (c->host_port != PORT_STREAMLOCAL-2) |
1981 | set_nodelay(newsock); |
1982 | nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1, |
1983 | c->local_window_max, c->local_maxpacket, 0, rtype, 1); |
1984 | nc->listening_port = c->listening_port; |
1985 | nc->host_port = c->host_port; |
1986 | if (c->path != NULL((void *)0)) |
1987 | nc->path = xstrdup(c->path); |
1988 | |
1989 | if (nextstate != SSH_CHANNEL_DYNAMIC13) |
1990 | port_open_helper(ssh, nc, rtype); |
1991 | } |
1992 | |
1993 | /* |
1994 | * This is the authentication agent socket listening for connections from |
1995 | * clients. |
1996 | */ |
1997 | static void |
1998 | channel_post_auth_listener(struct ssh *ssh, Channel *c) |
1999 | { |
2000 | Channel *nc; |
2001 | int r, newsock; |
2002 | struct sockaddr_storage addr; |
2003 | socklen_t addrlen; |
2004 | |
2005 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
2006 | return; |
2007 | |
2008 | addrlen = sizeof(addr); |
2009 | newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); |
2010 | if (newsock == -1) { |
2011 | error("accept from auth socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2011 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "accept from auth socket: %.100s" , strerror((*__errno()))); |
2012 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
2013 | c->notbefore = monotime() + 1; |
2014 | return; |
2015 | } |
2016 | nc = channel_new(ssh, "agent-connection", |
2017 | SSH_CHANNEL_OPENING3, newsock, newsock, -1, |
2018 | c->local_window_max, c->local_maxpacket, |
2019 | 0, "accepted auth socket", 1); |
2020 | open_preamble(ssh, __func__, nc, "auth-agent@openssh.com"); |
2021 | if ((r = sshpkt_send(ssh)) != 0) |
2022 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2022 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
2023 | } |
2024 | |
2025 | static void |
2026 | channel_post_connecting(struct ssh *ssh, Channel *c) |
2027 | { |
2028 | int err = 0, sock, isopen, r; |
2029 | socklen_t sz = sizeof(err); |
2030 | |
2031 | if ((c->io_ready & SSH_CHAN_IO_SOCK_W0x20) == 0) |
2032 | return; |
2033 | if (!c->have_remote_id) |
2034 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2034 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2035 | /* for rdynamic the OPEN_CONFIRMATION has been sent already */ |
2036 | isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH22); |
2037 | |
2038 | if (getsockopt(c->sock, SOL_SOCKET0xffff, SO_ERROR0x1007, &err, &sz) == -1) { |
2039 | err = errno(*__errno()); |
2040 | error("getsockopt SO_ERROR failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2040 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getsockopt SO_ERROR failed" ); |
2041 | } |
2042 | |
2043 | if (err == 0) { |
2044 | /* Non-blocking connection completed */ |
2045 | debug("channel %d: connected to %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2046 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port) |
2046 | c->self, c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2046 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connected to %s port %d" , c->self, c->connect_ctx.host, c->connect_ctx.port); |
2047 | channel_connect_ctx_free(&c->connect_ctx); |
2048 | c->type = SSH_CHANNEL_OPEN4; |
2049 | channel_set_used_time(ssh, c); |
2050 | if (isopen) { |
2051 | /* no message necessary */ |
2052 | } else { |
2053 | if ((r = sshpkt_start(ssh, |
2054 | SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 || |
2055 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2056 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
2057 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
2058 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 || |
2059 | (r = sshpkt_send(ssh)) != 0) |
2060 | fatal_fr(r, "channel %i open confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2060 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i open confirm" , c->self); |
2061 | } |
2062 | return; |
2063 | } |
2064 | if (err == EINTR4 || err == EAGAIN35 || err == EINPROGRESS36) |
2065 | return; |
2066 | |
2067 | /* Non-blocking connection failed */ |
2068 | debug("channel %d: connection failed: %s", c->self, strerror(err))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2068 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: connection failed: %s" , c->self, strerror(err)); |
2069 | |
2070 | /* Try next address, if any */ |
2071 | if ((sock = connect_next(&c->connect_ctx)) == -1) { |
2072 | /* Exhausted all addresses for this destination */ |
2073 | error("connect_to %.100s port %d: failed.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2074 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port) |
2074 | c->connect_ctx.host, c->connect_ctx.port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2074 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s port %d: failed." , c->connect_ctx.host, c->connect_ctx.port); |
2075 | channel_connect_ctx_free(&c->connect_ctx); |
2076 | if (isopen) { |
2077 | rdynamic_close(ssh, c); |
2078 | } else { |
2079 | if ((r = sshpkt_start(ssh, |
2080 | SSH2_MSG_CHANNEL_OPEN_FAILURE92)) != 0 || |
2081 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2082 | (r = sshpkt_put_u32(ssh, |
2083 | SSH2_OPEN_CONNECT_FAILED2)) != 0 || |
2084 | (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || |
2085 | (r = sshpkt_put_cstring(ssh, "")) != 0 || |
2086 | (r = sshpkt_send(ssh)) != 0) |
2087 | fatal_fr(r, "channel %i: failure", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2087 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: failure", c ->self); |
2088 | chan_mark_dead(ssh, c); |
2089 | } |
2090 | } |
2091 | |
2092 | /* New non-blocking connection in progress */ |
2093 | close(c->sock); |
2094 | c->sock = c->rfd = c->wfd = sock; |
2095 | } |
2096 | |
2097 | static int |
2098 | channel_handle_rfd(struct ssh *ssh, Channel *c) |
2099 | { |
2100 | char buf[CHAN_RBUF(16*1024)]; |
2101 | ssize_t len; |
2102 | int r; |
2103 | size_t nr = 0, have, avail, maxlen = CHANNEL_MAX_READ(32*1024); |
2104 | |
2105 | if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0) |
2106 | return 1; /* Shouldn't happen */ |
2107 | if ((avail = sshbuf_avail(c->input)) == 0) |
2108 | return 1; /* Shouldn't happen */ |
2109 | |
2110 | /* |
2111 | * For "simple" channels (i.e. not datagram or filtered), we can |
2112 | * read directly to the channel buffer. |
2113 | */ |
2114 | if (c->input_filter == NULL((void *)0) && !c->datagram) { |
2115 | /* Only OPEN channels have valid rwin */ |
2116 | if (c->type == SSH_CHANNEL_OPEN4) { |
2117 | if ((have = sshbuf_len(c->input)) >= c->remote_window) |
2118 | return 1; /* shouldn't happen */ |
2119 | if (maxlen > c->remote_window - have) |
2120 | maxlen = c->remote_window - have; |
2121 | } |
2122 | if (maxlen > avail) |
2123 | maxlen = avail; |
2124 | if ((r = sshbuf_read(c->rfd, c->input, maxlen, &nr)) != 0) { |
2125 | if (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35) |
2126 | return 1; |
2127 | debug2("channel %d: read failed rfd %d maxlen %zu: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2128 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read failed rfd %d maxlen %zu: %s" , c->self, c->rfd, maxlen, ssh_err(r)) |
2128 | c->self, c->rfd, maxlen, ssh_err(r))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2128 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read failed rfd %d maxlen %zu: %s" , c->self, c->rfd, maxlen, ssh_err(r)); |
2129 | goto rfail; |
2130 | } |
2131 | if (nr != 0) |
2132 | channel_set_used_time(ssh, c); |
2133 | return 1; |
2134 | } |
2135 | |
2136 | len = read(c->rfd, buf, sizeof(buf)); |
2137 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2138 | return 1; |
2139 | if (len <= 0) { |
2140 | debug2("channel %d: read<=0 rfd %d len %zd: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (*__errno()))) |
2141 | c->self, c->rfd, len,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (*__errno()))) |
2142 | len == 0 ? "closed" : strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2142 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read<=0 rfd %d len %zd: %s" , c->self, c->rfd, len, len == 0 ? "closed" : strerror( (*__errno()))); |
2143 | rfail: |
2144 | if (c->type != SSH_CHANNEL_OPEN4) { |
2145 | debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2145 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self); |
2146 | chan_mark_dead(ssh, c); |
2147 | return -1; |
2148 | } else { |
2149 | chan_read_failed(ssh, c); |
2150 | } |
2151 | return -1; |
2152 | } |
2153 | channel_set_used_time(ssh, c); |
2154 | if (c->input_filter != NULL((void *)0)) { |
2155 | if (c->input_filter(ssh, c, buf, len) == -1) { |
2156 | debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2156 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self); |
2157 | chan_read_failed(ssh, c); |
2158 | } |
2159 | } else if (c->datagram) { |
2160 | if ((r = sshbuf_put_string(c->input, buf, len)) != 0) |
2161 | fatal_fr(r, "channel %i: put datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2161 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: put datagram" , c->self); |
2162 | } |
2163 | return 1; |
2164 | } |
2165 | |
2166 | static int |
2167 | channel_handle_wfd(struct ssh *ssh, Channel *c) |
2168 | { |
2169 | struct termios tio; |
2170 | u_char *data = NULL((void *)0), *buf; /* XXX const; need filter API change */ |
2171 | size_t dlen, olen = 0; |
2172 | int r, len; |
2173 | |
2174 | if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0) |
2175 | return 1; |
2176 | if (sshbuf_len(c->output) == 0) |
2177 | return 1; |
2178 | |
2179 | /* Send buffered output data to the socket. */ |
2180 | olen = sshbuf_len(c->output); |
2181 | if (c->output_filter != NULL((void *)0)) { |
2182 | if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL((void *)0)) { |
2183 | debug2("channel %d: filter stops", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2183 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: filter stops" , c->self); |
2184 | if (c->type != SSH_CHANNEL_OPEN4) |
2185 | chan_mark_dead(ssh, c); |
2186 | else |
2187 | chan_write_failed(ssh, c); |
2188 | return -1; |
2189 | } |
2190 | } else if (c->datagram) { |
2191 | if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0) |
2192 | fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2192 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self); |
2193 | buf = data; |
2194 | } else { |
2195 | buf = data = sshbuf_mutable_ptr(c->output); |
2196 | dlen = sshbuf_len(c->output); |
2197 | } |
2198 | |
2199 | if (c->datagram) { |
2200 | /* ignore truncated writes, datagrams might get lost */ |
2201 | len = write(c->wfd, buf, dlen); |
2202 | free(data); |
2203 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2204 | return 1; |
2205 | if (len <= 0) |
2206 | goto write_fail; |
2207 | goto out; |
2208 | } |
2209 | |
2210 | len = write(c->wfd, buf, dlen); |
2211 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2212 | return 1; |
2213 | if (len <= 0) { |
2214 | write_fail: |
2215 | if (c->type != SSH_CHANNEL_OPEN4) { |
2216 | debug2("channel %d: not open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2216 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: not open" , c->self); |
2217 | chan_mark_dead(ssh, c); |
2218 | return -1; |
2219 | } else { |
2220 | chan_write_failed(ssh, c); |
2221 | } |
2222 | return -1; |
2223 | } |
2224 | channel_set_used_time(ssh, c); |
2225 | if (c->isatty && dlen >= 1 && buf[0] != '\r') { |
2226 | if (tcgetattr(c->wfd, &tio) == 0 && |
2227 | !(tio.c_lflag & ECHO0x00000008) && (tio.c_lflag & ICANON0x00000100)) { |
2228 | /* |
2229 | * Simulate echo to reduce the impact of |
2230 | * traffic analysis. We need to match the |
2231 | * size of a SSH2_MSG_CHANNEL_DATA message |
2232 | * (4 byte channel id + buf) |
2233 | */ |
2234 | if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 || |
2235 | (r = sshpkt_send(ssh)) != 0) |
2236 | fatal_fr(r, "channel %i: ignore", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2236 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: ignore", c-> self); |
2237 | } |
2238 | } |
2239 | if ((r = sshbuf_consume(c->output, len)) != 0) |
2240 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2240 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2241 | out: |
2242 | c->local_consumed += olen - sshbuf_len(c->output); |
2243 | |
2244 | return 1; |
2245 | } |
2246 | |
2247 | static int |
2248 | channel_handle_efd_write(struct ssh *ssh, Channel *c) |
2249 | { |
2250 | int r; |
2251 | ssize_t len; |
2252 | |
2253 | if ((c->io_ready & SSH_CHAN_IO_EFD_W0x08) == 0) |
2254 | return 1; |
2255 | if (sshbuf_len(c->extended) == 0) |
2256 | return 1; |
2257 | |
2258 | len = write(c->efd, sshbuf_ptr(c->extended), |
2259 | sshbuf_len(c->extended)); |
2260 | debug2("channel %d: written %zd to efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2260 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: written %zd to efd %d" , c->self, len, c->efd); |
2261 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2262 | return 1; |
2263 | if (len <= 0) { |
2264 | debug2("channel %d: closing write-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2264 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing write-efd %d" , c->self, c->efd); |
2265 | channel_close_fd(ssh, c, &c->efd); |
2266 | } else { |
2267 | if ((r = sshbuf_consume(c->extended, len)) != 0) |
2268 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2268 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2269 | c->local_consumed += len; |
2270 | channel_set_used_time(ssh, c); |
2271 | } |
2272 | return 1; |
2273 | } |
2274 | |
2275 | static int |
2276 | channel_handle_efd_read(struct ssh *ssh, Channel *c) |
2277 | { |
2278 | char buf[CHAN_RBUF(16*1024)]; |
2279 | int r; |
2280 | ssize_t len; |
2281 | |
2282 | if ((c->io_ready & SSH_CHAN_IO_EFD_R0x04) == 0) |
2283 | return 1; |
2284 | |
2285 | len = read(c->efd, buf, sizeof(buf)); |
2286 | debug2("channel %d: read %zd from efd %d", c->self, len, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2286 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: read %zd from efd %d" , c->self, len, c->efd); |
2287 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2288 | return 1; |
2289 | if (len <= 0) { |
2290 | debug2("channel %d: closing read-efd %d", c->self, c->efd)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2290 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: closing read-efd %d" , c->self, c->efd); |
2291 | channel_close_fd(ssh, c, &c->efd); |
2292 | return 1; |
2293 | } |
2294 | channel_set_used_time(ssh, c); |
2295 | if (c->extended_usage == CHAN_EXTENDED_IGNORE0) |
2296 | debug3("channel %d: discard efd", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2296 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: discard efd" , c->self); |
2297 | else if ((r = sshbuf_put(c->extended, buf, len)) != 0) |
2298 | fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2298 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self); |
2299 | return 1; |
2300 | } |
2301 | |
2302 | static int |
2303 | channel_handle_efd(struct ssh *ssh, Channel *c) |
2304 | { |
2305 | if (c->efd == -1) |
2306 | return 1; |
2307 | |
2308 | /** XXX handle drain efd, too */ |
2309 | |
2310 | if (c->extended_usage == CHAN_EXTENDED_WRITE2) |
2311 | return channel_handle_efd_write(ssh, c); |
2312 | else if (c->extended_usage == CHAN_EXTENDED_READ1 || |
2313 | c->extended_usage == CHAN_EXTENDED_IGNORE0) |
2314 | return channel_handle_efd_read(ssh, c); |
2315 | |
2316 | return 1; |
2317 | } |
2318 | |
2319 | static int |
2320 | channel_check_window(struct ssh *ssh, Channel *c) |
2321 | { |
2322 | int r; |
2323 | |
2324 | if (c->type == SSH_CHANNEL_OPEN4 && |
2325 | !(c->flags & (CHAN_CLOSE_SENT0x01|CHAN_CLOSE_RCVD0x02)) && |
2326 | ((c->local_window_max - c->local_window > |
2327 | c->local_maxpacket*3) || |
2328 | c->local_window < c->local_window_max/2) && |
2329 | c->local_consumed > 0) { |
2330 | if (!c->have_remote_id) |
2331 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2331 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2332 | if ((r = sshpkt_start(ssh, |
2333 | SSH2_MSG_CHANNEL_WINDOW_ADJUST93)) != 0 || |
2334 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2335 | (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || |
2336 | (r = sshpkt_send(ssh)) != 0) { |
2337 | fatal_fr(r, "channel %i", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2337 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i", c->self ); |
2338 | } |
2339 | debug2("channel %d: window %d sent adjust %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed) |
2340 | c->local_window, c->local_consumed)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2340 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: window %d sent adjust %d" , c->self, c->local_window, c->local_consumed); |
2341 | c->local_window += c->local_consumed; |
2342 | c->local_consumed = 0; |
2343 | } |
2344 | return 1; |
2345 | } |
2346 | |
2347 | static void |
2348 | channel_post_open(struct ssh *ssh, Channel *c) |
2349 | { |
2350 | channel_handle_rfd(ssh, c); |
2351 | channel_handle_wfd(ssh, c); |
2352 | channel_handle_efd(ssh, c); |
2353 | channel_check_window(ssh, c); |
2354 | } |
2355 | |
2356 | static u_int |
2357 | read_mux(struct ssh *ssh, Channel *c, u_int need) |
2358 | { |
2359 | char buf[CHAN_RBUF(16*1024)]; |
2360 | ssize_t len; |
2361 | u_int rlen; |
2362 | int r; |
2363 | |
2364 | if (sshbuf_len(c->input) < need) { |
2365 | rlen = need - sshbuf_len(c->input); |
2366 | len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)(((rlen) < ((16*1024))) ? (rlen) : ((16*1024)))); |
2367 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2368 | return sshbuf_len(c->input); |
2369 | if (len <= 0) { |
2370 | debug2("channel %d: ctl read<=0 rfd %d len %zd",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2371 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len) |
2371 | c->self, c->rfd, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2371 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: ctl read<=0 rfd %d len %zd" , c->self, c->rfd, len); |
2372 | chan_read_failed(ssh, c); |
2373 | return 0; |
2374 | } else if ((r = sshbuf_put(c->input, buf, len)) != 0) |
2375 | fatal_fr(r, "channel %i: append", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2375 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append", c-> self); |
2376 | } |
2377 | return sshbuf_len(c->input); |
2378 | } |
2379 | |
2380 | static void |
2381 | channel_post_mux_client_read(struct ssh *ssh, Channel *c) |
2382 | { |
2383 | u_int need; |
2384 | |
2385 | if ((c->io_ready & SSH_CHAN_IO_RFD0x01) == 0) |
2386 | return; |
2387 | if (c->istate != CHAN_INPUT_OPEN0 && c->istate != CHAN_INPUT_WAIT_DRAIN1) |
2388 | return; |
2389 | if (c->mux_pause) |
2390 | return; |
2391 | |
2392 | /* |
2393 | * Don't not read past the precise end of packets to |
2394 | * avoid disrupting fd passing. |
2395 | */ |
2396 | if (read_mux(ssh, c, 4) < 4) /* read header */ |
2397 | return; |
2398 | /* XXX sshbuf_peek_u32 */ |
2399 | need = PEEK_U32(sshbuf_ptr(c->input))(((u_int32_t)(((const u_char *)(sshbuf_ptr(c->input)))[0]) << 24) | ((u_int32_t)(((const u_char *)(sshbuf_ptr(c-> input)))[1]) << 16) | ((u_int32_t)(((const u_char *)(sshbuf_ptr (c->input)))[2]) << 8) | (u_int32_t)(((const u_char * )(sshbuf_ptr(c->input)))[3])); |
2400 | #define CHANNEL_MUX_MAX_PACKET(256 * 1024) (256 * 1024) |
2401 | if (need > CHANNEL_MUX_MAX_PACKET(256 * 1024)) { |
2402 | debug2("channel %d: packet too big %u > %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2403 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: packet too big %u > %u" , c->self, (256 * 1024), need) |
2403 | c->self, CHANNEL_MUX_MAX_PACKET, need)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2403 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: packet too big %u > %u" , c->self, (256 * 1024), need); |
2404 | chan_rcvd_oclose(ssh, c); |
2405 | return; |
2406 | } |
2407 | if (read_mux(ssh, c, need + 4) < need + 4) /* read body */ |
2408 | return; |
2409 | if (c->mux_rcb(ssh, c) != 0) { |
2410 | debug("channel %d: mux_rcb failed", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2410 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: mux_rcb failed" , c->self); |
2411 | chan_mark_dead(ssh, c); |
2412 | return; |
2413 | } |
2414 | } |
2415 | |
2416 | static void |
2417 | channel_post_mux_client_write(struct ssh *ssh, Channel *c) |
2418 | { |
2419 | ssize_t len; |
2420 | int r; |
2421 | |
2422 | if ((c->io_ready & SSH_CHAN_IO_WFD0x02) == 0) |
2423 | return; |
2424 | if (sshbuf_len(c->output) == 0) |
2425 | return; |
2426 | |
2427 | len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output)); |
2428 | if (len == -1 && (errno(*__errno()) == EINTR4 || errno(*__errno()) == EAGAIN35)) |
2429 | return; |
2430 | if (len <= 0) { |
2431 | chan_mark_dead(ssh, c); |
2432 | return; |
2433 | } |
2434 | if ((r = sshbuf_consume(c->output, len)) != 0) |
2435 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2435 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2436 | } |
2437 | |
2438 | static void |
2439 | channel_post_mux_client(struct ssh *ssh, Channel *c) |
2440 | { |
2441 | channel_post_mux_client_read(ssh, c); |
2442 | channel_post_mux_client_write(ssh, c); |
2443 | } |
2444 | |
2445 | static void |
2446 | channel_post_mux_listener(struct ssh *ssh, Channel *c) |
2447 | { |
2448 | Channel *nc; |
2449 | struct sockaddr_storage addr; |
2450 | socklen_t addrlen; |
2451 | int newsock; |
2452 | uid_t euid; |
2453 | gid_t egid; |
2454 | |
2455 | if ((c->io_ready & SSH_CHAN_IO_SOCK_R0x10) == 0) |
2456 | return; |
2457 | |
2458 | debug("multiplexing control connection")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2458 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "multiplexing control connection" ); |
2459 | |
2460 | /* |
2461 | * Accept connection on control socket |
2462 | */ |
2463 | memset(&addr, 0, sizeof(addr)); |
2464 | addrlen = sizeof(addr); |
2465 | if ((newsock = accept(c->sock, (struct sockaddr*)&addr, |
2466 | &addrlen)) == -1) { |
2467 | error_f("accept: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2467 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "accept: %s", strerror( (*__errno()))); |
2468 | if (errno(*__errno()) == EMFILE24 || errno(*__errno()) == ENFILE23) |
2469 | c->notbefore = monotime() + 1; |
2470 | return; |
2471 | } |
2472 | |
2473 | if (getpeereid(newsock, &euid, &egid) == -1) { |
2474 | error_f("getpeereid failed: %s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2474 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getpeereid failed: %s" , strerror((*__errno()))); |
2475 | close(newsock); |
2476 | return; |
2477 | } |
2478 | if ((euid != 0) && (getuid() != euid)) { |
2479 | error("multiplex uid mismatch: peer euid %u != uid %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2480 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid()) |
2480 | (u_int)euid, (u_int)getuid())sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2480 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "multiplex uid mismatch: peer euid %u != uid %u" , (u_int)euid, (u_int)getuid()); |
2481 | close(newsock); |
2482 | return; |
2483 | } |
2484 | nc = channel_new(ssh, "mux-control", SSH_CHANNEL_MUX_CLIENT16, |
2485 | newsock, newsock, -1, c->local_window_max, |
2486 | c->local_maxpacket, 0, "mux-control", 1); |
2487 | nc->mux_rcb = c->mux_rcb; |
2488 | debug3_f("new mux channel %d fd %d", nc->self, nc->sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2488 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "new mux channel %d fd %d" , nc->self, nc->sock); |
2489 | /* establish state */ |
2490 | nc->mux_rcb(ssh, nc); |
2491 | /* mux state transitions must not elicit protocol messages */ |
2492 | nc->flags |= CHAN_LOCAL0x10; |
2493 | } |
2494 | |
2495 | static void |
2496 | channel_handler_init(struct ssh_channels *sc) |
2497 | { |
2498 | chan_fn **pre, **post; |
2499 | |
2500 | if ((pre = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(*pre))) == NULL((void *)0) || |
2501 | (post = calloc(SSH_CHANNEL_MAX_TYPE23, sizeof(*post))) == NULL((void *)0)) |
2502 | fatal_f("allocation failed")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2502 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "allocation failed"); |
2503 | |
2504 | pre[SSH_CHANNEL_OPEN4] = &channel_pre_open; |
2505 | pre[SSH_CHANNEL_X11_OPEN7] = &channel_pre_x11_open; |
2506 | pre[SSH_CHANNEL_PORT_LISTENER2] = &channel_pre_listener; |
2507 | pre[SSH_CHANNEL_RPORT_LISTENER11] = &channel_pre_listener; |
2508 | pre[SSH_CHANNEL_UNIX_LISTENER18] = &channel_pre_listener; |
2509 | pre[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_pre_listener; |
2510 | pre[SSH_CHANNEL_X11_LISTENER1] = &channel_pre_listener; |
2511 | pre[SSH_CHANNEL_AUTH_SOCKET6] = &channel_pre_listener; |
2512 | pre[SSH_CHANNEL_CONNECTING12] = &channel_pre_connecting; |
2513 | pre[SSH_CHANNEL_DYNAMIC13] = &channel_pre_dynamic; |
2514 | pre[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_pre_connecting; |
2515 | pre[SSH_CHANNEL_MUX_LISTENER15] = &channel_pre_listener; |
2516 | pre[SSH_CHANNEL_MUX_CLIENT16] = &channel_pre_mux_client; |
2517 | |
2518 | post[SSH_CHANNEL_OPEN4] = &channel_post_open; |
2519 | post[SSH_CHANNEL_PORT_LISTENER2] = &channel_post_port_listener; |
2520 | post[SSH_CHANNEL_RPORT_LISTENER11] = &channel_post_port_listener; |
2521 | post[SSH_CHANNEL_UNIX_LISTENER18] = &channel_post_port_listener; |
2522 | post[SSH_CHANNEL_RUNIX_LISTENER19] = &channel_post_port_listener; |
2523 | post[SSH_CHANNEL_X11_LISTENER1] = &channel_post_x11_listener; |
2524 | post[SSH_CHANNEL_AUTH_SOCKET6] = &channel_post_auth_listener; |
2525 | post[SSH_CHANNEL_CONNECTING12] = &channel_post_connecting; |
2526 | post[SSH_CHANNEL_DYNAMIC13] = &channel_post_open; |
2527 | post[SSH_CHANNEL_RDYNAMIC_FINISH22] = &channel_post_connecting; |
2528 | post[SSH_CHANNEL_MUX_LISTENER15] = &channel_post_mux_listener; |
2529 | post[SSH_CHANNEL_MUX_CLIENT16] = &channel_post_mux_client; |
2530 | |
2531 | sc->channel_pre = pre; |
2532 | sc->channel_post = post; |
2533 | } |
2534 | |
2535 | /* gc dead channels */ |
2536 | static void |
2537 | channel_garbage_collect(struct ssh *ssh, Channel *c) |
2538 | { |
2539 | if (c == NULL((void *)0)) |
2540 | return; |
2541 | if (c->detach_user != NULL((void *)0)) { |
2542 | if (!chan_is_dead(ssh, c, c->detach_close)) |
2543 | return; |
2544 | |
2545 | debug2("channel %d: gc: notify user", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2545 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: notify user" , c->self); |
2546 | c->detach_user(ssh, c->self, 0, NULL((void *)0)); |
2547 | /* if we still have a callback */ |
2548 | if (c->detach_user != NULL((void *)0)) |
2549 | return; |
2550 | debug2("channel %d: gc: user detached", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2550 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: gc: user detached" , c->self); |
2551 | } |
2552 | if (!chan_is_dead(ssh, c, 1)) |
2553 | return; |
2554 | debug2("channel %d: garbage collecting", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2554 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: garbage collecting" , c->self); |
2555 | channel_free(ssh, c); |
2556 | } |
2557 | |
2558 | enum channel_table { CHAN_PRE, CHAN_POST }; |
2559 | |
2560 | static void |
2561 | channel_handler(struct ssh *ssh, int table, struct timespec *timeout) |
2562 | { |
2563 | struct ssh_channels *sc = ssh->chanctxt; |
2564 | chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post; |
2565 | u_int i, oalloc; |
2566 | Channel *c; |
2567 | time_t now; |
2568 | |
2569 | now = monotime(); |
2570 | for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { |
2571 | c = sc->channels[i]; |
2572 | if (c == NULL((void *)0)) |
2573 | continue; |
2574 | /* Try to keep IO going while rekeying */ |
2575 | if (ssh_packet_is_rekeying(ssh) && c->type != SSH_CHANNEL_OPEN4) |
2576 | continue; |
2577 | if (c->delayed) { |
2578 | if (table == CHAN_PRE) |
2579 | c->delayed = 0; |
2580 | else |
2581 | continue; |
2582 | } |
2583 | if (ftab[c->type] != NULL((void *)0)) { |
2584 | if (table == CHAN_PRE && c->type == SSH_CHANNEL_OPEN4 && |
2585 | channel_get_expiry(ssh, c) != 0 && |
2586 | now >= channel_get_expiry(ssh, c)) { |
2587 | /* channel closed for inactivity */ |
2588 | verbose("channel %d: closing after %u seconds "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline) |
2589 | "of inactivity", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline) |
2590 | c->inactive_deadline)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2590 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "channel %d: closing after %u seconds " "of inactivity", c->self, c->inactive_deadline); |
2591 | channel_force_close(ssh, c, 1); |
2592 | } else if (c->notbefore <= now) { |
2593 | /* Run handlers that are not paused. */ |
2594 | (*ftab[c->type])(ssh, c); |
2595 | /* inactivity timeouts must interrupt poll() */ |
2596 | if (timeout != NULL((void *)0) && |
2597 | c->type == SSH_CHANNEL_OPEN4 && |
2598 | channel_get_expiry(ssh, c) != 0) { |
2599 | ptimeout_deadline_monotime(timeout, |
2600 | channel_get_expiry(ssh, c)); |
2601 | } |
2602 | } else if (timeout != NULL((void *)0)) { |
2603 | /* |
2604 | * Arrange for poll() wakeup when channel pause |
2605 | * timer expires. |
2606 | */ |
2607 | ptimeout_deadline_monotime(timeout, |
2608 | c->notbefore); |
2609 | } |
2610 | } |
2611 | channel_garbage_collect(ssh, c); |
2612 | } |
2613 | } |
2614 | |
2615 | /* |
2616 | * Create sockets before preparing IO. |
2617 | * This is necessary for things that need to happen after reading |
2618 | * the network-input but need to be completed before IO event setup, e.g. |
2619 | * because they may create new channels. |
2620 | */ |
2621 | static void |
2622 | channel_before_prepare_io(struct ssh *ssh) |
2623 | { |
2624 | struct ssh_channels *sc = ssh->chanctxt; |
2625 | Channel *c; |
2626 | u_int i, oalloc; |
2627 | |
2628 | for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { |
2629 | c = sc->channels[i]; |
2630 | if (c == NULL((void *)0)) |
2631 | continue; |
2632 | if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN21) |
2633 | channel_before_prepare_io_rdynamic(ssh, c); |
2634 | } |
2635 | } |
2636 | |
2637 | static void |
2638 | dump_channel_poll(const char *func, const char *what, Channel *c, |
2639 | u_int pollfd_offset, struct pollfd *pfd) |
2640 | { |
2641 | #ifdef DEBUG_CHANNEL_POLL |
2642 | debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2643 | "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2644 | "pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2645 | c->rfd, c->wfd, c->efd, c->sock,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2646 | c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2647 | c->io_want, c->io_ready,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents) |
2648 | pollfd_offset, pfd->fd, pfd->events, pfd->revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2648 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] " "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d " "pfd.ev 0x%02x pfd.rev 0x%02x" , func, c->self, what, c->rfd, c->wfd, c->efd, c-> sock, c->pfds[0], c->pfds[1], c->pfds[2], c->pfds [3], c->io_want, c->io_ready, pollfd_offset, pfd->fd , pfd->events, pfd->revents); |
2649 | #endif |
2650 | } |
2651 | |
2652 | /* Prepare pollfd entries for a single channel */ |
2653 | static void |
2654 | channel_prepare_pollfd(Channel *c, u_int *next_pollfd, |
2655 | struct pollfd *pfd, u_int npfd) |
2656 | { |
2657 | u_int ev, p = *next_pollfd; |
2658 | |
2659 | if (c == NULL((void *)0)) |
2660 | return; |
2661 | if (p + 4 > npfd) { |
2662 | /* Shouldn't happen */ |
2663 | fatal_f("channel %d: bad pfd offset %u (max %u)",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd) |
2664 | c->self, p, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2664 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd offset %u (max %u)" , c->self, p, npfd); |
2665 | } |
2666 | c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1; |
2667 | /* |
2668 | * prepare c->rfd |
2669 | * |
2670 | * This is a special case, since c->rfd might be the same as |
2671 | * c->wfd, c->efd and/or c->sock. Handle those here if they want |
2672 | * IO too. |
2673 | */ |
2674 | if (c->rfd != -1) { |
2675 | ev = 0; |
2676 | if ((c->io_want & SSH_CHAN_IO_RFD0x01) != 0) |
2677 | ev |= POLLIN0x0001; |
2678 | /* rfd == wfd */ |
2679 | if (c->wfd == c->rfd) { |
2680 | if ((c->io_want & SSH_CHAN_IO_WFD0x02) != 0) |
2681 | ev |= POLLOUT0x0004; |
2682 | } |
2683 | /* rfd == efd */ |
2684 | if (c->efd == c->rfd) { |
2685 | if ((c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0) |
2686 | ev |= POLLIN0x0001; |
2687 | if ((c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0) |
2688 | ev |= POLLOUT0x0004; |
2689 | } |
2690 | /* rfd == sock */ |
2691 | if (c->sock == c->rfd) { |
2692 | if ((c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0) |
2693 | ev |= POLLIN0x0001; |
2694 | if ((c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0) |
2695 | ev |= POLLOUT0x0004; |
2696 | } |
2697 | /* Pack a pfd entry if any event armed for this fd */ |
2698 | if (ev != 0) { |
2699 | c->pfds[0] = p; |
2700 | pfd[p].fd = c->rfd; |
2701 | pfd[p].events = ev; |
2702 | dump_channel_poll(__func__, "rfd", c, p, &pfd[p]); |
2703 | p++; |
2704 | } |
2705 | } |
2706 | /* prepare c->wfd if wanting IO and not already handled above */ |
2707 | if (c->wfd != -1 && c->rfd != c->wfd) { |
2708 | ev = 0; |
2709 | if ((c->io_want & SSH_CHAN_IO_WFD0x02)) |
2710 | ev |= POLLOUT0x0004; |
2711 | /* Pack a pfd entry if any event armed for this fd */ |
2712 | if (ev != 0) { |
2713 | c->pfds[1] = p; |
2714 | pfd[p].fd = c->wfd; |
2715 | pfd[p].events = ev; |
2716 | dump_channel_poll(__func__, "wfd", c, p, &pfd[p]); |
2717 | p++; |
2718 | } |
2719 | } |
2720 | /* prepare c->efd if wanting IO and not already handled above */ |
2721 | if (c->efd != -1 && c->rfd != c->efd) { |
2722 | ev = 0; |
2723 | if ((c->io_want & SSH_CHAN_IO_EFD_R0x04) != 0) |
2724 | ev |= POLLIN0x0001; |
2725 | if ((c->io_want & SSH_CHAN_IO_EFD_W0x08) != 0) |
2726 | ev |= POLLOUT0x0004; |
2727 | /* Pack a pfd entry if any event armed for this fd */ |
2728 | if (ev != 0) { |
2729 | c->pfds[2] = p; |
2730 | pfd[p].fd = c->efd; |
2731 | pfd[p].events = ev; |
2732 | dump_channel_poll(__func__, "efd", c, p, &pfd[p]); |
2733 | p++; |
2734 | } |
2735 | } |
2736 | /* prepare c->sock if wanting IO and not already handled above */ |
2737 | if (c->sock != -1 && c->rfd != c->sock) { |
2738 | ev = 0; |
2739 | if ((c->io_want & SSH_CHAN_IO_SOCK_R0x10) != 0) |
2740 | ev |= POLLIN0x0001; |
2741 | if ((c->io_want & SSH_CHAN_IO_SOCK_W0x20) != 0) |
2742 | ev |= POLLOUT0x0004; |
2743 | /* Pack a pfd entry if any event armed for this fd */ |
2744 | if (ev != 0) { |
2745 | c->pfds[3] = p; |
2746 | pfd[p].fd = c->sock; |
2747 | pfd[p].events = 0; |
2748 | dump_channel_poll(__func__, "sock", c, p, &pfd[p]); |
2749 | p++; |
2750 | } |
2751 | } |
2752 | *next_pollfd = p; |
2753 | } |
2754 | |
2755 | /* * Allocate/prepare poll structure */ |
2756 | void |
2757 | channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp, |
2758 | u_int *npfd_activep, u_int npfd_reserved, struct timespec *timeout) |
2759 | { |
2760 | struct ssh_channels *sc = ssh->chanctxt; |
2761 | u_int i, oalloc, p, npfd = npfd_reserved; |
2762 | |
2763 | channel_before_prepare_io(ssh); /* might create a new channel */ |
2764 | /* clear out I/O flags from last poll */ |
2765 | for (i = 0; i < sc->channels_alloc; i++) { |
2766 | if (sc->channels[i] == NULL((void *)0)) |
2767 | continue; |
2768 | sc->channels[i]->io_want = sc->channels[i]->io_ready = 0; |
2769 | } |
2770 | /* Allocate 4x pollfd for each channel (rfd, wfd, efd, sock) */ |
2771 | if (sc->channels_alloc >= (INT_MAX0x7fffffff / 4) - npfd_reserved) |
2772 | fatal_f("too many channels")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2772 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "too many channels"); /* shouldn't happen */ |
2773 | npfd += sc->channels_alloc * 4; |
2774 | if (npfd > *npfd_allocp) { |
2775 | *pfdp = xrecallocarray(*pfdp, *npfd_allocp, |
2776 | npfd, sizeof(**pfdp)); |
2777 | *npfd_allocp = npfd; |
2778 | } |
2779 | *npfd_activep = npfd_reserved; |
2780 | oalloc = sc->channels_alloc; |
2781 | |
2782 | channel_handler(ssh, CHAN_PRE, timeout); |
2783 | |
2784 | if (oalloc != sc->channels_alloc) { |
2785 | /* shouldn't happen */ |
2786 | fatal_f("channels_alloc changed during CHAN_PRE "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2787 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc) |
2787 | "(was %u, now %u)", oalloc, sc->channels_alloc)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2787 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channels_alloc changed during CHAN_PRE " "(was %u, now %u)", oalloc, sc->channels_alloc); |
2788 | } |
2789 | |
2790 | /* Prepare pollfd */ |
2791 | p = npfd_reserved; |
2792 | for (i = 0; i < sc->channels_alloc; i++) |
2793 | channel_prepare_pollfd(sc->channels[i], &p, *pfdp, npfd); |
2794 | *npfd_activep = p; |
2795 | } |
2796 | |
2797 | static void |
2798 | fd_ready(Channel *c, int p, struct pollfd *pfds, u_int npfd, int fd, |
2799 | const char *what, u_int revents_mask, u_int ready) |
2800 | { |
2801 | struct pollfd *pfd = &pfds[p]; |
2802 | |
2803 | if (fd == -1) |
2804 | return; |
2805 | if (p == -1 || (u_int)p >= npfd) |
2806 | fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2806 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: bad pfd %d (max %u)" , c->self, p, npfd); |
2807 | dump_channel_poll(__func__, what, c, p, pfd); |
2808 | if (pfd->fd != fd) { |
2809 | fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock) |
2810 | "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd,sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock) |
2811 | c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2811 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: inconsistent %s fd=%d pollfd[%u].fd %d " "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd, c-> rfd, c->wfd, c->efd, c->sock); |
2812 | } |
2813 | if ((pfd->revents & POLLNVAL0x0020) != 0) { |
2814 | fatal("channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2815 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock) |
2815 | c->self, what, p, pfd->fd, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2815 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d" , c->self, what, p, pfd->fd, c->rfd, c->wfd, c-> efd, c->sock); |
2816 | } |
2817 | if ((pfd->revents & (revents_mask|POLLHUP0x0010|POLLERR0x0008)) != 0) |
2818 | c->io_ready |= ready & c->io_want; |
2819 | } |
2820 | |
2821 | /* |
2822 | * After poll, perform any appropriate operations for channels which have |
2823 | * events pending. |
2824 | */ |
2825 | void |
2826 | channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd) |
2827 | { |
2828 | struct ssh_channels *sc = ssh->chanctxt; |
2829 | u_int i; |
2830 | int p; |
2831 | Channel *c; |
2832 | |
2833 | #ifdef DEBUG_CHANNEL_POLL |
2834 | for (p = 0; p < (int)npfd; p++) { |
2835 | if (pfd[p].revents == 0) |
2836 | continue; |
2837 | debug_f("pfd[%u].fd %d rev 0x%04x",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2838 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents) |
2838 | p, pfd[p].fd, pfd[p].revents)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2838 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "pfd[%u].fd %d rev 0x%04x" , p, pfd[p].fd, pfd[p].revents); |
2839 | } |
2840 | #endif |
2841 | |
2842 | /* Convert pollfd into c->io_ready */ |
2843 | for (i = 0; i < sc->channels_alloc; i++) { |
2844 | c = sc->channels[i]; |
2845 | if (c == NULL((void *)0)) |
2846 | continue; |
2847 | /* if rfd is shared with efd/sock then wfd should be too */ |
2848 | if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd && |
2849 | (c->rfd == c->efd || c->rfd == c->sock)) { |
2850 | /* Shouldn't happen */ |
2851 | fatal_f("channel %d: unexpected fds r%d w%d e%d s%d",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2852 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock) |
2852 | c->self, c->rfd, c->wfd, c->efd, c->sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2852 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: unexpected fds r%d w%d e%d s%d" , c->self, c->rfd, c->wfd, c->efd, c->sock); |
2853 | } |
2854 | c->io_ready = 0; |
2855 | /* rfd, potentially shared with wfd, efd and sock */ |
2856 | if (c->rfd != -1 && (p = c->pfds[0]) != -1) { |
2857 | fd_ready(c, p, pfd, npfd, c->rfd, |
2858 | "rfd", POLLIN0x0001, SSH_CHAN_IO_RFD0x01); |
2859 | if (c->rfd == c->wfd) { |
2860 | fd_ready(c, p, pfd, npfd, c->wfd, |
2861 | "wfd/r", POLLOUT0x0004, SSH_CHAN_IO_WFD0x02); |
2862 | } |
2863 | if (c->rfd == c->efd) { |
2864 | fd_ready(c, p, pfd, npfd, c->efd, |
2865 | "efdr/r", POLLIN0x0001, SSH_CHAN_IO_EFD_R0x04); |
2866 | fd_ready(c, p, pfd, npfd, c->efd, |
2867 | "efdw/r", POLLOUT0x0004, SSH_CHAN_IO_EFD_W0x08); |
2868 | } |
2869 | if (c->rfd == c->sock) { |
2870 | fd_ready(c, p, pfd, npfd, c->sock, |
2871 | "sockr/r", POLLIN0x0001, SSH_CHAN_IO_SOCK_R0x10); |
2872 | fd_ready(c, p, pfd, npfd, c->sock, |
2873 | "sockw/r", POLLOUT0x0004, SSH_CHAN_IO_SOCK_W0x20); |
2874 | } |
2875 | dump_channel_poll(__func__, "rfd", c, p, pfd); |
2876 | } |
2877 | /* wfd */ |
2878 | if (c->wfd != -1 && c->wfd != c->rfd && |
2879 | (p = c->pfds[1]) != -1) { |
2880 | fd_ready(c, p, pfd, npfd, c->wfd, |
2881 | "wfd", POLLOUT0x0004, SSH_CHAN_IO_WFD0x02); |
2882 | dump_channel_poll(__func__, "wfd", c, p, pfd); |
2883 | } |
2884 | /* efd */ |
2885 | if (c->efd != -1 && c->efd != c->rfd && |
2886 | (p = c->pfds[2]) != -1) { |
2887 | fd_ready(c, p, pfd, npfd, c->efd, |
2888 | "efdr", POLLIN0x0001, SSH_CHAN_IO_EFD_R0x04); |
2889 | fd_ready(c, p, pfd, npfd, c->efd, |
2890 | "efdw", POLLOUT0x0004, SSH_CHAN_IO_EFD_W0x08); |
2891 | dump_channel_poll(__func__, "efd", c, p, pfd); |
2892 | } |
2893 | /* sock */ |
2894 | if (c->sock != -1 && c->sock != c->rfd && |
2895 | (p = c->pfds[3]) != -1) { |
2896 | fd_ready(c, p, pfd, npfd, c->sock, |
2897 | "sockr", POLLIN0x0001, SSH_CHAN_IO_SOCK_R0x10); |
2898 | fd_ready(c, p, pfd, npfd, c->sock, |
2899 | "sockw", POLLOUT0x0004, SSH_CHAN_IO_SOCK_W0x20); |
2900 | dump_channel_poll(__func__, "sock", c, p, pfd); |
2901 | } |
2902 | } |
2903 | channel_handler(ssh, CHAN_POST, NULL((void *)0)); |
2904 | } |
2905 | |
2906 | /* |
2907 | * Enqueue data for channels with open or draining c->input. |
2908 | * Returns non-zero if a packet was enqueued. |
2909 | */ |
2910 | static int |
2911 | channel_output_poll_input_open(struct ssh *ssh, Channel *c) |
2912 | { |
2913 | size_t len, plen; |
2914 | const u_char *pkt; |
2915 | int r; |
2916 | |
2917 | if ((len = sshbuf_len(c->input)) == 0) { |
2918 | if (c->istate == CHAN_INPUT_WAIT_DRAIN1) { |
2919 | /* |
2920 | * input-buffer is empty and read-socket shutdown: |
2921 | * tell peer, that we will not send more data: |
2922 | * send IEOF. |
2923 | * hack for extended data: delay EOF if EFD still |
2924 | * in use. |
2925 | */ |
2926 | if (CHANNEL_EFD_INPUT_ACTIVE(c)(c->extended_usage == 1 && (c->efd != -1 || sshbuf_len (c->extended) > 0))) |
2927 | debug2("channel %d: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
2928 | "ibuf_empty delayed efd %d/(%zu)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)) |
2929 | c->self, c->efd, sshbuf_len(c->extended))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2929 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: " "ibuf_empty delayed efd %d/(%zu)" , c->self, c->efd, sshbuf_len(c->extended)); |
2930 | else |
2931 | chan_ibuf_empty(ssh, c); |
2932 | } |
2933 | return 0; |
2934 | } |
2935 | |
2936 | if (!c->have_remote_id) |
2937 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2937 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
2938 | |
2939 | if (c->datagram) { |
2940 | /* Check datagram will fit; drop if not */ |
2941 | if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0) |
2942 | fatal_fr(r, "channel %i: get datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2942 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get datagram" , c->self); |
2943 | /* |
2944 | * XXX this does tail-drop on the datagram queue which is |
2945 | * usually suboptimal compared to head-drop. Better to have |
2946 | * backpressure at read time? (i.e. read + discard) |
2947 | */ |
2948 | if (plen > c->remote_window || plen > c->remote_maxpacket) { |
2949 | debug("channel %d: datagram too big", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2949 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: datagram too big" , c->self); |
2950 | return 0; |
2951 | } |
2952 | /* Enqueue it */ |
2953 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
2954 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2955 | (r = sshpkt_put_string(ssh, pkt, plen)) != 0 || |
2956 | (r = sshpkt_send(ssh)) != 0) |
2957 | fatal_fr(r, "channel %i: send datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2957 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send datagram" , c->self); |
2958 | c->remote_window -= plen; |
2959 | return 1; |
2960 | } |
2961 | |
2962 | /* Enqueue packet for buffered data. */ |
2963 | if (len > c->remote_window) |
2964 | len = c->remote_window; |
2965 | if (len > c->remote_maxpacket) |
2966 | len = c->remote_maxpacket; |
2967 | if (len == 0) |
2968 | return 0; |
2969 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA94)) != 0 || |
2970 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
2971 | (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 || |
2972 | (r = sshpkt_send(ssh)) != 0) |
2973 | fatal_fr(r, "channel %i: send data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2973 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: send data", c->self); |
2974 | if ((r = sshbuf_consume(c->input, len)) != 0) |
2975 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2975 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
2976 | c->remote_window -= len; |
2977 | return 1; |
2978 | } |
2979 | |
2980 | /* |
2981 | * Enqueue data for channels with open c->extended in read mode. |
2982 | * Returns non-zero if a packet was enqueued. |
2983 | */ |
2984 | static int |
2985 | channel_output_poll_extended_read(struct ssh *ssh, Channel *c) |
2986 | { |
2987 | size_t len; |
2988 | int r; |
2989 | |
2990 | if ((len = sshbuf_len(c->extended)) == 0) |
2991 | return 0; |
2992 | |
2993 | debug2("channel %d: rwin %u elen %zu euse %d", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2994 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage) |
2994 | c->remote_window, sshbuf_len(c->extended), c->extended_usage)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 2994 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rwin %u elen %zu euse %d" , c->self, c->remote_window, sshbuf_len(c->extended) , c->extended_usage); |
2995 | if (len > c->remote_window) |
2996 | len = c->remote_window; |
2997 | if (len > c->remote_maxpacket) |
2998 | len = c->remote_maxpacket; |
2999 | if (len == 0) |
3000 | return 0; |
3001 | if (!c->have_remote_id) |
3002 | fatal_f("channel %d: no remote id", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3002 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: no remote id" , c->self); |
3003 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA95)) != 0 || |
3004 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
3005 | (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR1)) != 0 || |
3006 | (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 || |
3007 | (r = sshpkt_send(ssh)) != 0) |
3008 | fatal_fr(r, "channel %i: data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3008 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: data", c-> self); |
3009 | if ((r = sshbuf_consume(c->extended, len)) != 0) |
3010 | fatal_fr(r, "channel %i: consume", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3010 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: consume", c ->self); |
3011 | c->remote_window -= len; |
3012 | debug2("channel %d: sent ext data %zu", c->self, len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3012 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: sent ext data %zu" , c->self, len); |
3013 | return 1; |
3014 | } |
3015 | |
3016 | /* |
3017 | * If there is data to send to the connection, enqueue some of it now. |
3018 | * Returns non-zero if data was enqueued. |
3019 | */ |
3020 | int |
3021 | channel_output_poll(struct ssh *ssh) |
3022 | { |
3023 | struct ssh_channels *sc = ssh->chanctxt; |
3024 | Channel *c; |
3025 | u_int i; |
3026 | int ret = 0; |
3027 | |
3028 | for (i = 0; i < sc->channels_alloc; i++) { |
3029 | c = sc->channels[i]; |
3030 | if (c == NULL((void *)0)) |
3031 | continue; |
3032 | |
3033 | /* |
3034 | * We are only interested in channels that can have buffered |
3035 | * incoming data. |
3036 | */ |
3037 | if (c->type != SSH_CHANNEL_OPEN4) |
3038 | continue; |
3039 | if ((c->flags & (CHAN_CLOSE_SENT0x01|CHAN_CLOSE_RCVD0x02))) { |
3040 | /* XXX is this true? */ |
3041 | debug3("channel %d: will not send data after close",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3042 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self) |
3042 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3042 , 0, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %d: will not send data after close" , c->self); |
3043 | continue; |
3044 | } |
3045 | |
3046 | /* Get the amount of buffered data for this channel. */ |
3047 | if (c->istate == CHAN_INPUT_OPEN0 || |
3048 | c->istate == CHAN_INPUT_WAIT_DRAIN1) |
3049 | ret |= channel_output_poll_input_open(ssh, c); |
3050 | /* Send extended data, i.e. stderr */ |
3051 | if (!(c->flags & CHAN_EOF_SENT0x04) && |
3052 | c->extended_usage == CHAN_EXTENDED_READ1) |
3053 | ret |= channel_output_poll_extended_read(ssh, c); |
3054 | } |
3055 | return ret; |
3056 | } |
3057 | |
3058 | /* -- mux proxy support */ |
3059 | |
3060 | /* |
3061 | * When multiplexing channel messages for mux clients we have to deal |
3062 | * with downstream messages from the mux client and upstream messages |
3063 | * from the ssh server: |
3064 | * 1) Handling downstream messages is straightforward and happens |
3065 | * in channel_proxy_downstream(): |
3066 | * - We forward all messages (mostly) unmodified to the server. |
3067 | * - However, in order to route messages from upstream to the correct |
3068 | * downstream client, we have to replace the channel IDs used by the |
3069 | * mux clients with a unique channel ID because the mux clients might |
3070 | * use conflicting channel IDs. |
3071 | * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and |
3072 | * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local |
3073 | * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID |
3074 | * with the newly allocated channel ID. |
3075 | * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY |
3076 | * channels and processed by channel_proxy_upstream(). The local channel ID |
3077 | * is then translated back to the original mux client ID. |
3078 | * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE |
3079 | * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels. |
3080 | * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the |
3081 | * downstream mux client are removed. |
3082 | * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server |
3083 | * requires more work, because they are not addressed to a specific |
3084 | * channel. E.g. client_request_forwarded_tcpip() needs to figure |
3085 | * out whether the request is addressed to the local client or a |
3086 | * specific downstream client based on the listen-address/port. |
3087 | * 6) Agent and X11-Forwarding have a similar problem and are currently |
3088 | * not supported as the matching session/channel cannot be identified |
3089 | * easily. |
3090 | */ |
3091 | |
3092 | /* |
3093 | * receive packets from downstream mux clients: |
3094 | * channel callback fired on read from mux client, creates |
3095 | * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs |
3096 | * on channel creation. |
3097 | */ |
3098 | int |
3099 | channel_proxy_downstream(struct ssh *ssh, Channel *downstream) |
3100 | { |
3101 | Channel *c = NULL((void *)0); |
3102 | struct sshbuf *original = NULL((void *)0), *modified = NULL((void *)0); |
3103 | const u_char *cp; |
3104 | char *ctype = NULL((void *)0), *listen_host = NULL((void *)0); |
3105 | u_char type; |
3106 | size_t have; |
3107 | int ret = -1, r; |
3108 | u_int id, remote_id, listen_port; |
3109 | |
3110 | /* sshbuf_dump(downstream->input, stderr); */ |
3111 | if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have)) |
3112 | != 0) { |
3113 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3113 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
3114 | return -1; |
3115 | } |
3116 | if (have < 2) { |
3117 | error_f("short message")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3117 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "short message"); |
3118 | return -1; |
3119 | } |
3120 | type = cp[1]; |
3121 | /* skip padlen + type */ |
3122 | cp += 2; |
3123 | have -= 2; |
3124 | if (ssh_packet_log_type(type)) |
3125 | debug3_f("channel %u: down->up: type %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3126 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type) |
3126 | downstream->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3126 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: down->up: type %u" , downstream->self, type); |
3127 | |
3128 | switch (type) { |
3129 | case SSH2_MSG_CHANNEL_OPEN90: |
3130 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0) || |
3131 | (modified = sshbuf_new()) == NULL((void *)0)) { |
3132 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3132 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
3133 | goto out; |
3134 | } |
3135 | if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0 || |
3136 | (r = sshbuf_get_u32(original, &id)) != 0) { |
3137 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3137 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
3138 | goto out; |
3139 | } |
3140 | c = channel_new(ssh, "mux-proxy", SSH_CHANNEL_MUX_PROXY20, |
3141 | -1, -1, -1, 0, 0, 0, ctype, 1); |
3142 | c->mux_ctx = downstream; /* point to mux client */ |
3143 | c->mux_downstream_id = id; /* original downstream id */ |
3144 | if ((r = sshbuf_put_cstring(modified, ctype)) != 0 || |
3145 | (r = sshbuf_put_u32(modified, c->self)) != 0 || |
3146 | (r = sshbuf_putb(modified, original)) != 0) { |
3147 | error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3147 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose"); |
3148 | channel_free(ssh, c); |
3149 | goto out; |
3150 | } |
3151 | break; |
3152 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
3153 | /* |
3154 | * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we |
3155 | * need to parse 'remote_id' instead of 'ctype'. |
3156 | */ |
3157 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0) || |
3158 | (modified = sshbuf_new()) == NULL((void *)0)) { |
3159 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3159 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
3160 | goto out; |
3161 | } |
3162 | if ((r = sshbuf_get_u32(original, &remote_id)) != 0 || |
3163 | (r = sshbuf_get_u32(original, &id)) != 0) { |
3164 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3164 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
3165 | goto out; |
3166 | } |
3167 | c = channel_new(ssh, "mux-proxy", SSH_CHANNEL_MUX_PROXY20, |
3168 | -1, -1, -1, 0, 0, 0, "mux-down-connect", 1); |
3169 | c->mux_ctx = downstream; /* point to mux client */ |
3170 | c->mux_downstream_id = id; |
3171 | c->remote_id = remote_id; |
3172 | c->have_remote_id = 1; |
3173 | if ((r = sshbuf_put_u32(modified, remote_id)) != 0 || |
3174 | (r = sshbuf_put_u32(modified, c->self)) != 0 || |
3175 | (r = sshbuf_putb(modified, original)) != 0) { |
3176 | error_fr(r, "compose")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3176 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose"); |
3177 | channel_free(ssh, c); |
3178 | goto out; |
3179 | } |
3180 | break; |
3181 | case SSH2_MSG_GLOBAL_REQUEST80: |
3182 | if ((original = sshbuf_from(cp, have)) == NULL((void *)0)) { |
3183 | error_f("alloc")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3183 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc"); |
3184 | goto out; |
3185 | } |
3186 | if ((r = sshbuf_get_cstring(original, &ctype, NULL((void *)0))) != 0) { |
3187 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3187 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
3188 | goto out; |
3189 | } |
3190 | if (strcmp(ctype, "tcpip-forward") != 0) { |
3191 | error_f("unsupported request %s", ctype)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3191 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unsupported request %s" , ctype); |
3192 | goto out; |
3193 | } |
3194 | if ((r = sshbuf_get_u8(original, NULL((void *)0))) != 0 || |
3195 | (r = sshbuf_get_cstring(original, &listen_host, NULL((void *)0))) != 0 || |
3196 | (r = sshbuf_get_u32(original, &listen_port)) != 0) { |
3197 | error_fr(r, "parse")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3197 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse"); |
3198 | goto out; |
3199 | } |
3200 | if (listen_port > 65535) { |
3201 | error_f("tcpip-forward for %s: bad port %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3202 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port) |
3202 | listen_host, listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3202 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "tcpip-forward for %s: bad port %u" , listen_host, listen_port); |
3203 | goto out; |
3204 | } |
3205 | /* Record that connection to this host/port is permitted. */ |
3206 | permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1), "<mux>", -1, |
3207 | listen_host, NULL((void *)0), (int)listen_port, downstream); |
3208 | listen_host = NULL((void *)0); |
3209 | break; |
3210 | case SSH2_MSG_CHANNEL_CLOSE97: |
3211 | if (have < 4) |
3212 | break; |
3213 | remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char *)(cp))[0]) << 24) | ((u_int32_t )(((const u_char *)(cp))[1]) << 16) | ((u_int32_t)(((const u_char *)(cp))[2]) << 8) | (u_int32_t)(((const u_char * )(cp))[3])); |
3214 | if ((c = channel_by_remote_id(ssh, remote_id)) != NULL((void *)0)) { |
3215 | if (c->flags & CHAN_CLOSE_RCVD0x02) |
3216 | channel_free(ssh, c); |
3217 | else |
3218 | c->flags |= CHAN_CLOSE_SENT0x01; |
3219 | } |
3220 | break; |
3221 | } |
3222 | if (modified) { |
3223 | if ((r = sshpkt_start(ssh, type)) != 0 || |
3224 | (r = sshpkt_putb(ssh, modified)) != 0 || |
3225 | (r = sshpkt_send(ssh)) != 0) { |
3226 | error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3226 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send"); |
3227 | goto out; |
3228 | } |
3229 | } else { |
3230 | if ((r = sshpkt_start(ssh, type)) != 0 || |
3231 | (r = sshpkt_put(ssh, cp, have)) != 0 || |
3232 | (r = sshpkt_send(ssh)) != 0) { |
3233 | error_fr(r, "send")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3233 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "send"); |
3234 | goto out; |
3235 | } |
3236 | } |
3237 | ret = 0; |
3238 | out: |
3239 | free(ctype); |
3240 | free(listen_host); |
3241 | sshbuf_free(original); |
3242 | sshbuf_free(modified); |
3243 | return ret; |
3244 | } |
3245 | |
3246 | /* |
3247 | * receive packets from upstream server and de-multiplex packets |
3248 | * to correct downstream: |
3249 | * implemented as a helper for channel input handlers, |
3250 | * replaces local (proxy) channel ID with downstream channel ID. |
3251 | */ |
3252 | int |
3253 | channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh) |
3254 | { |
3255 | struct sshbuf *b = NULL((void *)0); |
3256 | Channel *downstream; |
3257 | const u_char *cp = NULL((void *)0); |
3258 | size_t len; |
3259 | int r; |
3260 | |
3261 | /* |
3262 | * When receiving packets from the peer we need to check whether we |
3263 | * need to forward the packets to the mux client. In this case we |
3264 | * restore the original channel id and keep track of CLOSE messages, |
3265 | * so we can cleanup the channel. |
3266 | */ |
3267 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_MUX_PROXY20) |
3268 | return 0; |
3269 | if ((downstream = c->mux_ctx) == NULL((void *)0)) |
3270 | return 0; |
3271 | switch (type) { |
3272 | case SSH2_MSG_CHANNEL_CLOSE97: |
3273 | case SSH2_MSG_CHANNEL_DATA94: |
3274 | case SSH2_MSG_CHANNEL_EOF96: |
3275 | case SSH2_MSG_CHANNEL_EXTENDED_DATA95: |
3276 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
3277 | case SSH2_MSG_CHANNEL_OPEN_FAILURE92: |
3278 | case SSH2_MSG_CHANNEL_WINDOW_ADJUST93: |
3279 | case SSH2_MSG_CHANNEL_SUCCESS99: |
3280 | case SSH2_MSG_CHANNEL_FAILURE100: |
3281 | case SSH2_MSG_CHANNEL_REQUEST98: |
3282 | break; |
3283 | default: |
3284 | debug2_f("channel %u: unsupported type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3284 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %u: unsupported type %u" , c->self, type); |
3285 | return 0; |
3286 | } |
3287 | if ((b = sshbuf_new()) == NULL((void *)0)) { |
3288 | error_f("alloc reply")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3288 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "alloc reply"); |
3289 | goto out; |
3290 | } |
3291 | /* get remaining payload (after id) */ |
3292 | cp = sshpkt_ptr(ssh, &len); |
3293 | if (cp == NULL((void *)0)) { |
3294 | error_f("no packet")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3294 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no packet"); |
3295 | goto out; |
3296 | } |
3297 | /* translate id and send to muxclient */ |
3298 | if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ |
3299 | (r = sshbuf_put_u8(b, type)) != 0 || |
3300 | (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 || |
3301 | (r = sshbuf_put(b, cp, len)) != 0 || |
3302 | (r = sshbuf_put_stringb(downstream->output, b)) != 0) { |
3303 | error_fr(r, "compose muxclient")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3303 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "compose muxclient"); |
3304 | goto out; |
3305 | } |
3306 | /* sshbuf_dump(b, stderr); */ |
3307 | if (ssh_packet_log_type(type)) |
3308 | debug3_f("channel %u: up->down: type %u", c->self, type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3308 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "channel %u: up->down: type %u" , c->self, type); |
3309 | out: |
3310 | /* update state */ |
3311 | switch (type) { |
3312 | case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91: |
3313 | /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */ |
3314 | if (cp && len > 4) { |
3315 | c->remote_id = PEEK_U32(cp)(((u_int32_t)(((const u_char *)(cp))[0]) << 24) | ((u_int32_t )(((const u_char *)(cp))[1]) << 16) | ((u_int32_t)(((const u_char *)(cp))[2]) << 8) | (u_int32_t)(((const u_char * )(cp))[3])); |
3316 | c->have_remote_id = 1; |
3317 | } |
3318 | break; |
3319 | case SSH2_MSG_CHANNEL_CLOSE97: |
3320 | if (c->flags & CHAN_CLOSE_SENT0x01) |
3321 | channel_free(ssh, c); |
3322 | else |
3323 | c->flags |= CHAN_CLOSE_RCVD0x02; |
3324 | break; |
3325 | } |
3326 | sshbuf_free(b); |
3327 | return 1; |
3328 | } |
3329 | |
3330 | /* -- protocol input */ |
3331 | |
3332 | /* Parse a channel ID from the current packet */ |
3333 | static int |
3334 | channel_parse_id(struct ssh *ssh, const char *where, const char *what) |
3335 | { |
3336 | u_int32_t id; |
3337 | int r; |
3338 | |
3339 | if ((r = sshpkt_get_u32(ssh, &id)) != 0) { |
3340 | error_r(r, "%s: parse id", where)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3340 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: parse id", where); |
3341 | ssh_packet_disconnect(ssh, "Invalid %s message", what); |
3342 | } |
3343 | if (id > INT_MAX0x7fffffff) { |
3344 | error_r(r, "%s: bad channel id %u", where, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3344 , 0, SYSLOG_LEVEL_ERROR, ssh_err(r), "%s: bad channel id %u", where, id); |
3345 | ssh_packet_disconnect(ssh, "Invalid %s channel id", what); |
3346 | } |
3347 | return (int)id; |
3348 | } |
3349 | |
3350 | /* Lookup a channel from an ID in the current packet */ |
3351 | static Channel * |
3352 | channel_from_packet_id(struct ssh *ssh, const char *where, const char *what) |
3353 | { |
3354 | int id = channel_parse_id(ssh, where, what); |
3355 | Channel *c; |
3356 | |
3357 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3358 | ssh_packet_disconnect(ssh, |
3359 | "%s packet referred to nonexistent channel %d", what, id); |
3360 | } |
3361 | return c; |
3362 | } |
3363 | |
3364 | int |
3365 | channel_input_data(int type, u_int32_t seq, struct ssh *ssh) |
3366 | { |
3367 | const u_char *data; |
3368 | size_t data_len, win_len; |
3369 | Channel *c = channel_from_packet_id(ssh, __func__, "data"); |
3370 | int r; |
3371 | |
3372 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3373 | return 0; |
3374 | |
3375 | /* Ignore any data for non-open channels (might happen on close) */ |
3376 | if (c->type != SSH_CHANNEL_OPEN4 && |
3377 | c->type != SSH_CHANNEL_RDYNAMIC_OPEN21 && |
3378 | c->type != SSH_CHANNEL_RDYNAMIC_FINISH22 && |
3379 | c->type != SSH_CHANNEL_X11_OPEN7) |
3380 | return 0; |
3381 | |
3382 | /* Get the data. */ |
3383 | if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || |
3384 | (r = sshpkt_get_end(ssh)) != 0) |
3385 | fatal_fr(r, "channel %i: get data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3385 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: get data", c ->self); |
3386 | |
3387 | win_len = data_len; |
3388 | if (c->datagram) |
3389 | win_len += 4; /* string length header */ |
3390 | |
3391 | /* |
3392 | * The sending side reduces its window as it sends data, so we |
3393 | * must 'fake' consumption of the data in order to ensure that window |
3394 | * updates are sent back. Otherwise the connection might deadlock. |
3395 | */ |
3396 | if (c->ostate != CHAN_OUTPUT_OPEN0) { |
3397 | c->local_window -= win_len; |
3398 | c->local_consumed += win_len; |
3399 | return 0; |
3400 | } |
3401 | |
3402 | if (win_len > c->local_maxpacket) { |
3403 | logit("channel %d: rcvd big packet %zu, maxpack %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3404 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket) |
3404 | c->self, win_len, c->local_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3404 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd big packet %zu, maxpack %u" , c->self, win_len, c->local_maxpacket); |
3405 | return 0; |
3406 | } |
3407 | if (win_len > c->local_window) { |
3408 | c->local_window_exceeded += win_len - c->local_window; |
3409 | logit("channel %d: rcvd too much data %zu, win %u/%u "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded) |
3410 | "(excess %u)", c->self, win_len, c->local_window,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded) |
3411 | c->local_window_max, c->local_window_exceeded)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3411 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much data %zu, win %u/%u " "(excess %u)", c->self, win_len, c->local_window, c-> local_window_max, c->local_window_exceeded); |
3412 | c->local_window = 0; |
3413 | /* Allow 10% grace before bringing the hammer down */ |
3414 | if (c->local_window_exceeded > (c->local_window_max / 10)) { |
3415 | ssh_packet_disconnect(ssh, "channel %d: peer ignored " |
3416 | "channel window", c->self); |
3417 | } |
3418 | } else { |
3419 | c->local_window -= win_len; |
3420 | c->local_window_exceeded = 0; |
3421 | } |
3422 | |
3423 | if (c->datagram) { |
3424 | if ((r = sshbuf_put_string(c->output, data, data_len)) != 0) |
3425 | fatal_fr(r, "channel %i: append datagram", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3425 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append datagram" , c->self); |
3426 | } else if ((r = sshbuf_put(c->output, data, data_len)) != 0) |
3427 | fatal_fr(r, "channel %i: append data", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3427 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i: append data" , c->self); |
3428 | |
3429 | return 0; |
3430 | } |
3431 | |
3432 | int |
3433 | channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh) |
3434 | { |
3435 | const u_char *data; |
3436 | size_t data_len; |
3437 | u_int32_t tcode; |
3438 | Channel *c = channel_from_packet_id(ssh, __func__, "extended data"); |
3439 | int r; |
3440 | |
3441 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3442 | return 0; |
3443 | if (c->type != SSH_CHANNEL_OPEN4) { |
3444 | logit("channel %d: ext data for non open", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3444 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: ext data for non open" , c->self); |
3445 | return 0; |
3446 | } |
3447 | if (c->flags & CHAN_EOF_RCVD0x08) { |
3448 | if (ssh->compat & SSH_BUG_EXTEOF0x00200000) |
3449 | debug("channel %d: accepting ext data after eof",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3450 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self) |
3450 | c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3450 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: accepting ext data after eof" , c->self); |
3451 | else |
3452 | ssh_packet_disconnect(ssh, "Received extended_data " |
3453 | "after EOF on channel %d.", c->self); |
3454 | } |
3455 | |
3456 | if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) { |
3457 | error_fr(r, "parse tcode")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3457 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse tcode"); |
3458 | ssh_packet_disconnect(ssh, "Invalid extended_data message"); |
3459 | } |
3460 | if (c->efd == -1 || |
3461 | c->extended_usage != CHAN_EXTENDED_WRITE2 || |
3462 | tcode != SSH2_EXTENDED_DATA_STDERR1) { |
3463 | logit("channel %d: bad ext data", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3463 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: bad ext data" , c->self); |
3464 | return 0; |
3465 | } |
3466 | if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || |
3467 | (r = sshpkt_get_end(ssh)) != 0) { |
3468 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3468 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3469 | ssh_packet_disconnect(ssh, "Invalid extended_data message"); |
3470 | } |
3471 | |
3472 | if (data_len > c->local_window) { |
3473 | logit("channel %d: rcvd too much extended_data %zu, win %u",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3474 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window) |
3474 | c->self, data_len, c->local_window)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3474 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: rcvd too much extended_data %zu, win %u" , c->self, data_len, c->local_window); |
3475 | return 0; |
3476 | } |
3477 | debug2("channel %d: rcvd ext data %zu", c->self, data_len)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3477 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd ext data %zu" , c->self, data_len); |
3478 | /* XXX sshpkt_getb? */ |
3479 | if ((r = sshbuf_put(c->extended, data, data_len)) != 0) |
3480 | error_fr(r, "append")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3480 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "append"); |
3481 | c->local_window -= data_len; |
3482 | return 0; |
3483 | } |
3484 | |
3485 | int |
3486 | channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh) |
3487 | { |
3488 | Channel *c = channel_from_packet_id(ssh, __func__, "ieof"); |
3489 | int r; |
3490 | |
3491 | if ((r = sshpkt_get_end(ssh)) != 0) { |
3492 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3492 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3493 | ssh_packet_disconnect(ssh, "Invalid ieof message"); |
3494 | } |
3495 | |
3496 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3497 | return 0; |
3498 | chan_rcvd_ieof(ssh, c); |
3499 | |
3500 | /* XXX force input close */ |
3501 | if (c->force_drain && c->istate == CHAN_INPUT_OPEN0) { |
3502 | debug("channel %d: FORCE input drain", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3502 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "channel %d: FORCE input drain" , c->self); |
3503 | c->istate = CHAN_INPUT_WAIT_DRAIN1; |
3504 | if (sshbuf_len(c->input) == 0) |
3505 | chan_ibuf_empty(ssh, c); |
3506 | } |
3507 | return 0; |
3508 | } |
3509 | |
3510 | int |
3511 | channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh) |
3512 | { |
3513 | Channel *c = channel_from_packet_id(ssh, __func__, "oclose"); |
3514 | int r; |
3515 | |
3516 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3517 | return 0; |
3518 | if ((r = sshpkt_get_end(ssh)) != 0) { |
3519 | error_fr(r, "parse data")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3519 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse data"); |
3520 | ssh_packet_disconnect(ssh, "Invalid oclose message"); |
3521 | } |
3522 | chan_rcvd_oclose(ssh, c); |
3523 | return 0; |
3524 | } |
3525 | |
3526 | int |
3527 | channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh) |
3528 | { |
3529 | Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation"); |
3530 | u_int32_t remote_window, remote_maxpacket; |
3531 | int r; |
3532 | |
3533 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3534 | return 0; |
3535 | if (c->type != SSH_CHANNEL_OPENING3) |
3536 | ssh_packet_disconnect(ssh, "Received open confirmation for " |
3537 | "non-opening channel %d.", c->self); |
3538 | /* |
3539 | * Record the remote channel number and mark that the channel |
3540 | * is now open. |
3541 | */ |
3542 | if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 || |
3543 | (r = sshpkt_get_u32(ssh, &remote_window)) != 0 || |
3544 | (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 || |
3545 | (r = sshpkt_get_end(ssh)) != 0) { |
3546 | error_fr(r, "window/maxpacket")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3546 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "window/maxpacket"); |
3547 | ssh_packet_disconnect(ssh, "Invalid open confirmation message"); |
3548 | } |
3549 | |
3550 | c->have_remote_id = 1; |
3551 | c->remote_window = remote_window; |
3552 | c->remote_maxpacket = remote_maxpacket; |
3553 | c->type = SSH_CHANNEL_OPEN4; |
3554 | if (c->open_confirm) { |
3555 | debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3555 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self); |
3556 | c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx); |
3557 | debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3557 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self); |
3558 | } |
3559 | channel_set_used_time(ssh, c); |
3560 | debug2("channel %d: open confirm rwindow %u rmax %u", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3561 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket) |
3561 | c->remote_window, c->remote_maxpacket)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3561 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: open confirm rwindow %u rmax %u" , c->self, c->remote_window, c->remote_maxpacket); |
3562 | return 0; |
3563 | } |
3564 | |
3565 | static char * |
3566 | reason2txt(int reason) |
3567 | { |
3568 | switch (reason) { |
3569 | case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1: |
3570 | return "administratively prohibited"; |
3571 | case SSH2_OPEN_CONNECT_FAILED2: |
3572 | return "connect failed"; |
3573 | case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE3: |
3574 | return "unknown channel type"; |
3575 | case SSH2_OPEN_RESOURCE_SHORTAGE4: |
3576 | return "resource shortage"; |
3577 | } |
3578 | return "unknown reason"; |
3579 | } |
3580 | |
3581 | int |
3582 | channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh) |
3583 | { |
3584 | Channel *c = channel_from_packet_id(ssh, __func__, "open failure"); |
3585 | u_int32_t reason; |
3586 | char *msg = NULL((void *)0); |
3587 | int r; |
3588 | |
3589 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3590 | return 0; |
3591 | if (c->type != SSH_CHANNEL_OPENING3) |
3592 | ssh_packet_disconnect(ssh, "Received open failure for " |
3593 | "non-opening channel %d.", c->self); |
3594 | if ((r = sshpkt_get_u32(ssh, &reason)) != 0) { |
3595 | error_fr(r, "parse reason")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3595 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse reason"); |
3596 | ssh_packet_disconnect(ssh, "Invalid open failure message"); |
3597 | } |
3598 | /* skip language */ |
3599 | if ((r = sshpkt_get_cstring(ssh, &msg, NULL((void *)0))) != 0 || |
3600 | (r = sshpkt_get_string_direct(ssh, NULL((void *)0), NULL((void *)0))) != 0 || |
3601 | (r = sshpkt_get_end(ssh)) != 0) { |
3602 | error_fr(r, "parse msg/lang")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3602 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse msg/lang"); |
3603 | ssh_packet_disconnect(ssh, "Invalid open failure message"); |
3604 | } |
3605 | logit("channel %d: open failed: %s%s%s", c->self,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3606 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : "") |
3606 | reason2txt(reason), msg ? ": ": "", msg ? msg : "")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3606 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "channel %d: open failed: %s%s%s" , c->self, reason2txt(reason), msg ? ": ": "", msg ? msg : ""); |
3607 | free(msg); |
3608 | if (c->open_confirm) { |
3609 | debug2_f("channel %d: callback start", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3609 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback start" , c->self); |
3610 | c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx); |
3611 | debug2_f("channel %d: callback done", c->self)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3611 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: callback done" , c->self); |
3612 | } |
3613 | /* Schedule the channel for cleanup/deletion. */ |
3614 | chan_mark_dead(ssh, c); |
3615 | return 0; |
3616 | } |
3617 | |
3618 | int |
3619 | channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) |
3620 | { |
3621 | int id = channel_parse_id(ssh, __func__, "window adjust"); |
3622 | Channel *c; |
3623 | u_int32_t adjust; |
3624 | u_int new_rwin; |
3625 | int r; |
3626 | |
3627 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3628 | logit("Received window adjust for non-open channel %d.", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3628 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received window adjust for non-open channel %d." , id); |
3629 | return 0; |
3630 | } |
3631 | |
3632 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3633 | return 0; |
3634 | if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 || |
3635 | (r = sshpkt_get_end(ssh)) != 0) { |
3636 | error_fr(r, "parse adjust")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3636 , 1, SYSLOG_LEVEL_ERROR, ssh_err(r), "parse adjust"); |
3637 | ssh_packet_disconnect(ssh, "Invalid window adjust message"); |
3638 | } |
3639 | debug2("channel %d: rcvd adjust %u", c->self, adjust)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3639 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "channel %d: rcvd adjust %u" , c->self, adjust); |
3640 | if ((new_rwin = c->remote_window + adjust) < c->remote_window) { |
3641 | fatal("channel %d: adjust %u overflows remote window %u",sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3642 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window) |
3642 | c->self, adjust, c->remote_window)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3642 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "channel %d: adjust %u overflows remote window %u" , c->self, adjust, c->remote_window); |
3643 | } |
3644 | c->remote_window = new_rwin; |
3645 | return 0; |
3646 | } |
3647 | |
3648 | int |
3649 | channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh) |
3650 | { |
3651 | int id = channel_parse_id(ssh, __func__, "status confirm"); |
3652 | Channel *c; |
3653 | struct channel_confirm *cc; |
3654 | |
3655 | /* Reset keepalive timeout */ |
3656 | ssh_packet_set_alive_timeouts(ssh, 0); |
3657 | |
3658 | debug2_f("type %d id %d", type, id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3658 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "type %d id %d", type, id); |
3659 | |
3660 | if ((c = channel_lookup(ssh, id)) == NULL((void *)0)) { |
3661 | logit_f("%d: unknown", id)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3661 , 1, SYSLOG_LEVEL_INFO, ((void *)0), "%d: unknown", id); |
3662 | return 0; |
3663 | } |
3664 | if (channel_proxy_upstream(c, type, seq, ssh)) |
3665 | return 0; |
3666 | if (sshpkt_get_end(ssh) != 0) |
3667 | ssh_packet_disconnect(ssh, "Invalid status confirm message"); |
3668 | if ((cc = TAILQ_FIRST(&c->status_confirms)((&c->status_confirms)->tqh_first)) == NULL((void *)0)) |
3669 | return 0; |
3670 | cc->cb(ssh, type, c, cc->ctx); |
3671 | TAILQ_REMOVE(&c->status_confirms, cc, entry)do { if (((cc)->entry.tqe_next) != ((void *)0)) (cc)->entry .tqe_next->entry.tqe_prev = (cc)->entry.tqe_prev; else ( &c->status_confirms)->tqh_last = (cc)->entry.tqe_prev ; *(cc)->entry.tqe_prev = (cc)->entry.tqe_next; ; ; } while (0); |
3672 | freezero(cc, sizeof(*cc)); |
3673 | return 0; |
3674 | } |
3675 | |
3676 | /* -- tcp forwarding */ |
3677 | |
3678 | void |
3679 | channel_set_af(struct ssh *ssh, int af) |
3680 | { |
3681 | ssh->chanctxt->IPv4or6 = af; |
3682 | } |
3683 | |
3684 | |
3685 | /* |
3686 | * Determine whether or not a port forward listens to loopback, the |
3687 | * specified address or wildcard. On the client, a specified bind |
3688 | * address will always override gateway_ports. On the server, a |
3689 | * gateway_ports of 1 (``yes'') will override the client's specification |
3690 | * and force a wildcard bind, whereas a value of 2 (``clientspecified'') |
3691 | * will bind to whatever address the client asked for. |
3692 | * |
3693 | * Special-case listen_addrs are: |
3694 | * |
3695 | * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR |
3696 | * "" (empty string), "*" -> wildcard v4/v6 |
3697 | * "localhost" -> loopback v4/v6 |
3698 | * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set |
3699 | */ |
3700 | static const char * |
3701 | channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp, |
3702 | int is_client, struct ForwardOptions *fwd_opts) |
3703 | { |
3704 | const char *addr = NULL((void *)0); |
3705 | int wildcard = 0; |
3706 | |
3707 | if (listen_addr == NULL((void *)0)) { |
3708 | /* No address specified: default to gateway_ports setting */ |
3709 | if (fwd_opts->gateway_ports) |
3710 | wildcard = 1; |
3711 | } else if (fwd_opts->gateway_ports || is_client) { |
3712 | if (((ssh->compat & SSH_OLD_FORWARD_ADDR0x01000000) && |
3713 | strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || |
3714 | *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || |
3715 | (!is_client && fwd_opts->gateway_ports == 1)) { |
3716 | wildcard = 1; |
3717 | /* |
3718 | * Notify client if they requested a specific listen |
3719 | * address and it was overridden. |
3720 | */ |
3721 | if (*listen_addr != '\0' && |
3722 | strcmp(listen_addr, "0.0.0.0") != 0 && |
3723 | strcmp(listen_addr, "*") != 0) { |
3724 | ssh_packet_send_debug(ssh, |
3725 | "Forwarding listen address " |
3726 | "\"%s\" overridden by server " |
3727 | "GatewayPorts", listen_addr); |
3728 | } |
3729 | } else if (strcmp(listen_addr, "localhost") != 0 || |
3730 | strcmp(listen_addr, "127.0.0.1") == 0 || |
3731 | strcmp(listen_addr, "::1") == 0) { |
3732 | /* |
3733 | * Accept explicit localhost address when |
3734 | * GatewayPorts=yes. The "localhost" hostname is |
3735 | * deliberately skipped here so it will listen on all |
3736 | * available local address families. |
3737 | */ |
3738 | addr = listen_addr; |
3739 | } |
3740 | } else if (strcmp(listen_addr, "127.0.0.1") == 0 || |
3741 | strcmp(listen_addr, "::1") == 0) { |
3742 | /* |
3743 | * If a specific IPv4/IPv6 localhost address has been |
3744 | * requested then accept it even if gateway_ports is in |
3745 | * effect. This allows the client to prefer IPv4 or IPv6. |
3746 | */ |
3747 | addr = listen_addr; |
3748 | } |
3749 | if (wildcardp != NULL((void *)0)) |
3750 | *wildcardp = wildcard; |
3751 | return addr; |
3752 | } |
3753 | |
3754 | static int |
3755 | channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, |
3756 | struct Forward *fwd, int *allocated_listen_port, |
3757 | struct ForwardOptions *fwd_opts) |
3758 | { |
3759 | Channel *c; |
3760 | int sock, r, success = 0, wildcard = 0, is_client; |
3761 | struct addrinfo hints, *ai, *aitop; |
3762 | const char *host, *addr; |
3763 | char ntop[NI_MAXHOST256], strport[NI_MAXSERV32]; |
3764 | in_port_t *lport_p; |
3765 | |
3766 | is_client = (type == SSH_CHANNEL_PORT_LISTENER2); |
3767 | |
3768 | if (is_client && fwd->connect_path != NULL((void *)0)) { |
3769 | host = fwd->connect_path; |
3770 | } else { |
3771 | host = (type == SSH_CHANNEL_RPORT_LISTENER11) ? |
3772 | fwd->listen_host : fwd->connect_host; |
3773 | if (host == NULL((void *)0)) { |
3774 | error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3774 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." ); |
3775 | return 0; |
3776 | } |
3777 | if (strlen(host) >= NI_MAXHOST256) { |
3778 | error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3778 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." ); |
3779 | return 0; |
3780 | } |
3781 | } |
3782 | |
3783 | /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ |
3784 | addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard, |
3785 | is_client, fwd_opts); |
3786 | debug3_f("type %d wildcard %d addr %s", type, wildcard,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3787 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void *)0)) ? "NULL" : addr) |
3787 | (addr == NULL) ? "NULL" : addr)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3787 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d wildcard %d addr %s" , type, wildcard, (addr == ((void *)0)) ? "NULL" : addr); |
3788 | |
3789 | /* |
3790 | * getaddrinfo returns a loopback address if the hostname is |
3791 | * set to NULL and hints.ai_flags is not AI_PASSIVE |
3792 | */ |
3793 | memset(&hints, 0, sizeof(hints)); |
3794 | hints.ai_family = ssh->chanctxt->IPv4or6; |
3795 | hints.ai_flags = wildcard ? AI_PASSIVE1 : 0; |
3796 | hints.ai_socktype = SOCK_STREAM1; |
3797 | snprintf(strport, sizeof strport, "%d", fwd->listen_port); |
3798 | if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { |
3799 | if (addr == NULL((void *)0)) { |
3800 | /* This really shouldn't happen */ |
3801 | ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s", |
3802 | ssh_gai_strerror(r)); |
3803 | } else { |
3804 | error_f("getaddrinfo(%.64s): %s", addr,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3805 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r)) |
3805 | ssh_gai_strerror(r))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3805 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo(%.64s): %s" , addr, ssh_gai_strerror(r)); |
3806 | } |
3807 | return 0; |
3808 | } |
3809 | if (allocated_listen_port != NULL((void *)0)) |
3810 | *allocated_listen_port = 0; |
3811 | for (ai = aitop; ai; ai = ai->ai_next) { |
3812 | switch (ai->ai_family) { |
3813 | case AF_INET2: |
3814 | lport_p = &((struct sockaddr_in *)ai->ai_addr)-> |
3815 | sin_port; |
3816 | break; |
3817 | case AF_INET624: |
3818 | lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> |
3819 | sin6_port; |
3820 | break; |
3821 | default: |
3822 | continue; |
3823 | } |
3824 | /* |
3825 | * If allocating a port for -R forwards, then use the |
3826 | * same port for all address families. |
3827 | */ |
3828 | if (type == SSH_CHANNEL_RPORT_LISTENER11 && |
3829 | fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) && |
3830 | *allocated_listen_port > 0) |
3831 | *lport_p = htons(*allocated_listen_port)(__uint16_t)(__builtin_constant_p(*allocated_listen_port) ? ( __uint16_t)(((__uint16_t)(*allocated_listen_port) & 0xffU ) << 8 | ((__uint16_t)(*allocated_listen_port) & 0xff00U ) >> 8) : __swap16md(*allocated_listen_port)); |
3832 | |
3833 | if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), |
3834 | strport, sizeof(strport), |
3835 | NI_NUMERICHOST1|NI_NUMERICSERV2) != 0) { |
3836 | error_f("getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3836 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getnameinfo failed"); |
3837 | continue; |
3838 | } |
3839 | /* Create a port to listen for the host. */ |
3840 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); |
3841 | if (sock == -1) { |
3842 | /* this is no error since kernel may not support ipv6 */ |
3843 | verbose("socket [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3844 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3844 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3844 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3845 | continue; |
3846 | } |
3847 | |
3848 | set_reuseaddr(sock); |
3849 | |
3850 | debug("Local forwarding listening on %s port %s.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3851 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport) |
3851 | ntop, strport)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3851 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on %s port %s." , ntop, strport); |
3852 | |
3853 | /* Bind the socket to the address. */ |
3854 | if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
3855 | /* |
3856 | * address can be in if use ipv6 address is |
3857 | * already bound |
3858 | */ |
3859 | verbose("bind [%s]:%s: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3860 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3860 | ntop, strport, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3860 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "bind [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3861 | close(sock); |
3862 | continue; |
3863 | } |
3864 | /* Start listening for connections on the socket. */ |
3865 | if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) { |
3866 | error("listen [%s]:%s: %.100s", ntop, strport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3867 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))) |
3867 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3867 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen [%s]:%s: %.100s" , ntop, strport, strerror((*__errno()))); |
3868 | close(sock); |
3869 | continue; |
3870 | } |
3871 | |
3872 | /* |
3873 | * fwd->listen_port == 0 requests a dynamically allocated port - |
3874 | * record what we got. |
3875 | */ |
3876 | if (type == SSH_CHANNEL_RPORT_LISTENER11 && |
3877 | fwd->listen_port == 0 && |
3878 | allocated_listen_port != NULL((void *)0) && |
3879 | *allocated_listen_port == 0) { |
3880 | *allocated_listen_port = get_local_port(sock); |
3881 | debug("Allocated listen port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3882 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Allocated listen port %d" , *allocated_listen_port) |
3882 | *allocated_listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3882 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Allocated listen port %d" , *allocated_listen_port); |
3883 | } |
3884 | |
3885 | /* Allocate a channel number for the socket. */ |
3886 | c = channel_new(ssh, "port-listener", type, sock, sock, -1, |
3887 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
3888 | 0, "port listener", 1); |
3889 | c->path = xstrdup(host); |
3890 | c->host_port = fwd->connect_port; |
3891 | c->listening_addr = addr == NULL((void *)0) ? NULL((void *)0) : xstrdup(addr); |
3892 | if (fwd->listen_port == 0 && allocated_listen_port != NULL((void *)0) && |
3893 | !(ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000)) |
3894 | c->listening_port = *allocated_listen_port; |
3895 | else |
3896 | c->listening_port = fwd->listen_port; |
3897 | success = 1; |
3898 | } |
3899 | if (success == 0) |
3900 | error_f("cannot listen to port: %d", fwd->listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3900 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "cannot listen to port: %d" , fwd->listen_port); |
3901 | freeaddrinfo(aitop); |
3902 | return success; |
3903 | } |
3904 | |
3905 | static int |
3906 | channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type, |
3907 | struct Forward *fwd, struct ForwardOptions *fwd_opts) |
3908 | { |
3909 | struct sockaddr_un sunaddr; |
3910 | const char *path; |
3911 | Channel *c; |
3912 | int port, sock; |
3913 | mode_t omask; |
3914 | |
3915 | switch (type) { |
3916 | case SSH_CHANNEL_UNIX_LISTENER18: |
3917 | if (fwd->connect_path != NULL((void *)0)) { |
3918 | if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { |
3919 | error("Local connecting path too long: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3920 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path) |
3920 | fwd->connect_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3920 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local connecting path too long: %s" , fwd->connect_path); |
3921 | return 0; |
3922 | } |
3923 | path = fwd->connect_path; |
3924 | port = PORT_STREAMLOCAL-2; |
3925 | } else { |
3926 | if (fwd->connect_host == NULL((void *)0)) { |
3927 | error("No forward host name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3927 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward host name." ); |
3928 | return 0; |
3929 | } |
3930 | if (strlen(fwd->connect_host) >= NI_MAXHOST256) { |
3931 | error("Forward host name too long.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3931 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Forward host name too long." ); |
3932 | return 0; |
3933 | } |
3934 | path = fwd->connect_host; |
3935 | port = fwd->connect_port; |
3936 | } |
3937 | break; |
3938 | case SSH_CHANNEL_RUNIX_LISTENER19: |
3939 | path = fwd->listen_path; |
3940 | port = PORT_STREAMLOCAL-2; |
3941 | break; |
3942 | default: |
3943 | error_f("unexpected channel type %d", type)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3943 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "unexpected channel type %d" , type); |
3944 | return 0; |
3945 | } |
3946 | |
3947 | if (fwd->listen_path == NULL((void *)0)) { |
3948 | error("No forward path name.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3948 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "No forward path name." ); |
3949 | return 0; |
3950 | } |
3951 | if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { |
3952 | error("Local listening path too long: %s", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3952 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Local listening path too long: %s" , fwd->listen_path); |
3953 | return 0; |
3954 | } |
3955 | |
3956 | debug3_f("type %d path %s", type, fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3956 , 1, SYSLOG_LEVEL_DEBUG3, ((void *)0), "type %d path %s", type , fwd->listen_path); |
3957 | |
3958 | /* Start a Unix domain listener. */ |
3959 | omask = umask(fwd_opts->streamlocal_bind_mask); |
3960 | sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG128, |
3961 | fwd_opts->streamlocal_bind_unlink); |
3962 | umask(omask); |
3963 | if (sock < 0) |
3964 | return 0; |
3965 | |
3966 | debug("Local forwarding listening on path %s.", fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3966 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "Local forwarding listening on path %s." , fwd->listen_path); |
3967 | |
3968 | /* Allocate a channel number for the socket. */ |
3969 | c = channel_new(ssh, "unix-listener", type, sock, sock, -1, |
3970 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), |
3971 | 0, "unix listener", 1); |
3972 | c->path = xstrdup(path); |
3973 | c->host_port = port; |
3974 | c->listening_port = PORT_STREAMLOCAL-2; |
3975 | c->listening_addr = xstrdup(fwd->listen_path); |
3976 | return 1; |
3977 | } |
3978 | |
3979 | static int |
3980 | channel_cancel_rport_listener_tcpip(struct ssh *ssh, |
3981 | const char *host, u_short port) |
3982 | { |
3983 | u_int i; |
3984 | int found = 0; |
3985 | |
3986 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
3987 | Channel *c = ssh->chanctxt->channels[i]; |
3988 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_RPORT_LISTENER11) |
3989 | continue; |
3990 | if (strcmp(c->path, host) == 0 && c->listening_port == port) { |
3991 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 3991 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
3992 | channel_free(ssh, c); |
3993 | found = 1; |
3994 | } |
3995 | } |
3996 | |
3997 | return found; |
3998 | } |
3999 | |
4000 | static int |
4001 | channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path) |
4002 | { |
4003 | u_int i; |
4004 | int found = 0; |
4005 | |
4006 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
4007 | Channel *c = ssh->chanctxt->channels[i]; |
4008 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_RUNIX_LISTENER19) |
4009 | continue; |
4010 | if (c->path == NULL((void *)0)) |
4011 | continue; |
4012 | if (strcmp(c->path, path) == 0) { |
4013 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4013 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
4014 | channel_free(ssh, c); |
4015 | found = 1; |
4016 | } |
4017 | } |
4018 | |
4019 | return found; |
4020 | } |
4021 | |
4022 | int |
4023 | channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd) |
4024 | { |
4025 | if (fwd->listen_path != NULL((void *)0)) { |
4026 | return channel_cancel_rport_listener_streamlocal(ssh, |
4027 | fwd->listen_path); |
4028 | } else { |
4029 | return channel_cancel_rport_listener_tcpip(ssh, |
4030 | fwd->listen_host, fwd->listen_port); |
4031 | } |
4032 | } |
4033 | |
4034 | static int |
4035 | channel_cancel_lport_listener_tcpip(struct ssh *ssh, |
4036 | const char *lhost, u_short lport, int cport, |
4037 | struct ForwardOptions *fwd_opts) |
4038 | { |
4039 | u_int i; |
4040 | int found = 0; |
4041 | const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL((void *)0), 1, fwd_opts); |
4042 | |
4043 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
4044 | Channel *c = ssh->chanctxt->channels[i]; |
4045 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_PORT_LISTENER2) |
4046 | continue; |
4047 | if (c->listening_port != lport) |
4048 | continue; |
4049 | if (cport == CHANNEL_CANCEL_PORT_STATIC-1) { |
4050 | /* skip dynamic forwardings */ |
4051 | if (c->host_port == 0) |
4052 | continue; |
4053 | } else { |
4054 | if (c->host_port != cport) |
4055 | continue; |
4056 | } |
4057 | if ((c->listening_addr == NULL((void *)0) && addr != NULL((void *)0)) || |
4058 | (c->listening_addr != NULL((void *)0) && addr == NULL((void *)0))) |
4059 | continue; |
4060 | if (addr == NULL((void *)0) || strcmp(c->listening_addr, addr) == 0) { |
4061 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4061 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
4062 | channel_free(ssh, c); |
4063 | found = 1; |
4064 | } |
4065 | } |
4066 | |
4067 | return found; |
4068 | } |
4069 | |
4070 | static int |
4071 | channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path) |
4072 | { |
4073 | u_int i; |
4074 | int found = 0; |
4075 | |
4076 | if (path == NULL((void *)0)) { |
4077 | error_f("no path specified.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4077 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "no path specified."); |
4078 | return 0; |
4079 | } |
4080 | |
4081 | for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { |
4082 | Channel *c = ssh->chanctxt->channels[i]; |
4083 | if (c == NULL((void *)0) || c->type != SSH_CHANNEL_UNIX_LISTENER18) |
4084 | continue; |
4085 | if (c->listening_addr == NULL((void *)0)) |
4086 | continue; |
4087 | if (strcmp(c->listening_addr, path) == 0) { |
4088 | debug2_f("close channel %d", i)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4088 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "close channel %d", i); |
4089 | channel_free(ssh, c); |
4090 | found = 1; |
4091 | } |
4092 | } |
4093 | |
4094 | return found; |
4095 | } |
4096 | |
4097 | int |
4098 | channel_cancel_lport_listener(struct ssh *ssh, |
4099 | struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) |
4100 | { |
4101 | if (fwd->listen_path != NULL((void *)0)) { |
4102 | return channel_cancel_lport_listener_streamlocal(ssh, |
4103 | fwd->listen_path); |
4104 | } else { |
4105 | return channel_cancel_lport_listener_tcpip(ssh, |
4106 | fwd->listen_host, fwd->listen_port, cport, fwd_opts); |
4107 | } |
4108 | } |
4109 | |
4110 | /* protocol local port fwd, used by ssh */ |
4111 | int |
4112 | channel_setup_local_fwd_listener(struct ssh *ssh, |
4113 | struct Forward *fwd, struct ForwardOptions *fwd_opts) |
4114 | { |
4115 | if (fwd->listen_path != NULL((void *)0)) { |
4116 | return channel_setup_fwd_listener_streamlocal(ssh, |
4117 | SSH_CHANNEL_UNIX_LISTENER18, fwd, fwd_opts); |
4118 | } else { |
4119 | return channel_setup_fwd_listener_tcpip(ssh, |
4120 | SSH_CHANNEL_PORT_LISTENER2, fwd, NULL((void *)0), fwd_opts); |
4121 | } |
4122 | } |
4123 | |
4124 | /* Matches a remote forwarding permission against a requested forwarding */ |
4125 | static int |
4126 | remote_open_match(struct permission *allowed_open, struct Forward *fwd) |
4127 | { |
4128 | int ret; |
4129 | char *lhost; |
4130 | |
4131 | /* XXX add ACLs for streamlocal */ |
4132 | if (fwd->listen_path != NULL((void *)0)) |
4133 | return 1; |
4134 | |
4135 | if (fwd->listen_host == NULL((void *)0) || allowed_open->listen_host == NULL((void *)0)) |
4136 | return 0; |
4137 | |
4138 | if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT0 && |
4139 | allowed_open->listen_port != fwd->listen_port) |
4140 | return 0; |
4141 | |
4142 | /* Match hostnames case-insensitively */ |
4143 | lhost = xstrdup(fwd->listen_host); |
4144 | lowercase(lhost); |
4145 | ret = match_pattern(lhost, allowed_open->listen_host); |
4146 | free(lhost); |
4147 | |
4148 | return ret; |
4149 | } |
4150 | |
4151 | /* Checks whether a requested remote forwarding is permitted */ |
4152 | static int |
4153 | check_rfwd_permission(struct ssh *ssh, struct Forward *fwd) |
4154 | { |
4155 | struct ssh_channels *sc = ssh->chanctxt; |
4156 | struct permission_set *pset = &sc->remote_perms; |
4157 | u_int i, permit, permit_adm = 1; |
4158 | struct permission *perm; |
4159 | |
4160 | /* XXX apply GatewayPorts override before checking? */ |
4161 | |
4162 | permit = pset->all_permitted; |
4163 | if (!permit) { |
4164 | for (i = 0; i < pset->num_permitted_user; i++) { |
4165 | perm = &pset->permitted_user[i]; |
4166 | if (remote_open_match(perm, fwd)) { |
4167 | permit = 1; |
4168 | break; |
4169 | } |
4170 | } |
4171 | } |
4172 | |
4173 | if (pset->num_permitted_admin > 0) { |
4174 | permit_adm = 0; |
4175 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4176 | perm = &pset->permitted_admin[i]; |
4177 | if (remote_open_match(perm, fwd)) { |
4178 | permit_adm = 1; |
4179 | break; |
4180 | } |
4181 | } |
4182 | } |
4183 | |
4184 | return permit && permit_adm; |
4185 | } |
4186 | |
4187 | /* protocol v2 remote port fwd, used by sshd */ |
4188 | int |
4189 | channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, |
4190 | int *allocated_listen_port, struct ForwardOptions *fwd_opts) |
4191 | { |
4192 | if (!check_rfwd_permission(ssh, fwd)) { |
4193 | ssh_packet_send_debug(ssh, "port forwarding refused"); |
4194 | if (fwd->listen_path != NULL((void *)0)) |
4195 | /* XXX always allowed, see remote_open_match() */ |
4196 | logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
4197 | "remote forward to path \"%.100s\", "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
4198 | "but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
4199 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ) |
4200 | fwd->listen_path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4200 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to path \"%.100s\", " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_path ); |
4201 | else if(fwd->listen_host != NULL((void *)0)) |
4202 | logit("Received request from %.100s port %d to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
4203 | "remote forward to host %.100s port %d, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
4204 | "but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
4205 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port) |
4206 | fwd->listen_host, fwd->listen_port )sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4206 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to " "remote forward to host %.100s port %d, " "but the request was denied." , ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), fwd->listen_host , fwd->listen_port); |
4207 | else |
4208 | logit("Received request from %.100s port %d to remote "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)) |
4209 | "forward, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)) |
4210 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4210 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to remote " "forward, but the request was denied.", ssh_remote_ipaddr(ssh ), ssh_remote_port(ssh)); |
4211 | return 0; |
4212 | } |
4213 | if (fwd->listen_path != NULL((void *)0)) { |
4214 | return channel_setup_fwd_listener_streamlocal(ssh, |
4215 | SSH_CHANNEL_RUNIX_LISTENER19, fwd, fwd_opts); |
4216 | } else { |
4217 | return channel_setup_fwd_listener_tcpip(ssh, |
4218 | SSH_CHANNEL_RPORT_LISTENER11, fwd, allocated_listen_port, |
4219 | fwd_opts); |
4220 | } |
4221 | } |
4222 | |
4223 | /* |
4224 | * Translate the requested rfwd listen host to something usable for |
4225 | * this server. |
4226 | */ |
4227 | static const char * |
4228 | channel_rfwd_bind_host(const char *listen_host) |
4229 | { |
4230 | if (listen_host == NULL((void *)0)) { |
4231 | return "localhost"; |
4232 | } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { |
4233 | return ""; |
4234 | } else |
4235 | return listen_host; |
4236 | } |
4237 | |
4238 | /* |
4239 | * Initiate forwarding of connections to port "port" on remote host through |
4240 | * the secure channel to host:port from local side. |
4241 | * Returns handle (index) for updating the dynamic listen port with |
4242 | * channel_update_permission(). |
4243 | */ |
4244 | int |
4245 | channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) |
4246 | { |
4247 | int r, success = 0, idx = -1; |
4248 | const char *host_to_connect, *listen_host, *listen_path; |
4249 | int port_to_connect, listen_port; |
4250 | |
4251 | /* Send the forward request to the remote side. */ |
4252 | if (fwd->listen_path != NULL((void *)0)) { |
4253 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4254 | (r = sshpkt_put_cstring(ssh, |
4255 | "streamlocal-forward@openssh.com")) != 0 || |
4256 | (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ |
4257 | (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 || |
4258 | (r = sshpkt_send(ssh)) != 0 || |
4259 | (r = ssh_packet_write_wait(ssh)) != 0) |
4260 | fatal_fr(r, "request streamlocal")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4260 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request streamlocal"); |
4261 | } else { |
4262 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4263 | (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 || |
4264 | (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ |
4265 | (r = sshpkt_put_cstring(ssh, |
4266 | channel_rfwd_bind_host(fwd->listen_host))) != 0 || |
4267 | (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 || |
4268 | (r = sshpkt_send(ssh)) != 0 || |
4269 | (r = ssh_packet_write_wait(ssh)) != 0) |
4270 | fatal_fr(r, "request tcpip-forward")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4270 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "request tcpip-forward"); |
4271 | } |
4272 | /* Assume that server accepts the request */ |
4273 | success = 1; |
4274 | if (success) { |
4275 | /* Record that connection to this host/port is permitted. */ |
4276 | host_to_connect = listen_host = listen_path = NULL((void *)0); |
4277 | port_to_connect = listen_port = 0; |
Although the value stored to 'listen_port' is used in the enclosing expression, the value is never actually read from 'listen_port' | |
4278 | if (fwd->connect_path != NULL((void *)0)) { |
4279 | host_to_connect = fwd->connect_path; |
4280 | port_to_connect = PORT_STREAMLOCAL-2; |
4281 | } else { |
4282 | host_to_connect = fwd->connect_host; |
4283 | port_to_connect = fwd->connect_port; |
4284 | } |
4285 | if (fwd->listen_path != NULL((void *)0)) { |
4286 | listen_path = fwd->listen_path; |
4287 | listen_port = PORT_STREAMLOCAL-2; |
4288 | } else { |
4289 | listen_host = fwd->listen_host; |
4290 | listen_port = fwd->listen_port; |
4291 | } |
4292 | idx = permission_set_add(ssh, FORWARD_USER0x101, FORWARD_LOCAL(1<<1), |
4293 | host_to_connect, port_to_connect, |
4294 | listen_host, listen_path, listen_port, NULL((void *)0)); |
4295 | } |
4296 | return idx; |
4297 | } |
4298 | |
4299 | static int |
4300 | open_match(struct permission *allowed_open, const char *requestedhost, |
4301 | int requestedport) |
4302 | { |
4303 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4304 | return 0; |
4305 | if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT0 && |
4306 | allowed_open->port_to_connect != requestedport) |
4307 | return 0; |
4308 | if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST"*") != 0 && |
4309 | strcmp(allowed_open->host_to_connect, requestedhost) != 0) |
4310 | return 0; |
4311 | return 1; |
4312 | } |
4313 | |
4314 | /* |
4315 | * Note that in the listen host/port case |
4316 | * we don't support FWD_PERMIT_ANY_PORT and |
4317 | * need to translate between the configured-host (listen_host) |
4318 | * and what we've sent to the remote server (channel_rfwd_bind_host) |
4319 | */ |
4320 | static int |
4321 | open_listen_match_tcpip(struct permission *allowed_open, |
4322 | const char *requestedhost, u_short requestedport, int translate) |
4323 | { |
4324 | const char *allowed_host; |
4325 | |
4326 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4327 | return 0; |
4328 | if (allowed_open->listen_port != requestedport) |
4329 | return 0; |
4330 | if (!translate && allowed_open->listen_host == NULL((void *)0) && |
4331 | requestedhost == NULL((void *)0)) |
4332 | return 1; |
4333 | allowed_host = translate ? |
4334 | channel_rfwd_bind_host(allowed_open->listen_host) : |
4335 | allowed_open->listen_host; |
4336 | if (allowed_host == NULL((void *)0) || requestedhost == NULL((void *)0) || |
4337 | strcmp(allowed_host, requestedhost) != 0) |
4338 | return 0; |
4339 | return 1; |
4340 | } |
4341 | |
4342 | static int |
4343 | open_listen_match_streamlocal(struct permission *allowed_open, |
4344 | const char *requestedpath) |
4345 | { |
4346 | if (allowed_open->host_to_connect == NULL((void *)0)) |
4347 | return 0; |
4348 | if (allowed_open->listen_port != PORT_STREAMLOCAL-2) |
4349 | return 0; |
4350 | if (allowed_open->listen_path == NULL((void *)0) || |
4351 | strcmp(allowed_open->listen_path, requestedpath) != 0) |
4352 | return 0; |
4353 | return 1; |
4354 | } |
4355 | |
4356 | /* |
4357 | * Request cancellation of remote forwarding of connection host:port from |
4358 | * local side. |
4359 | */ |
4360 | static int |
4361 | channel_request_rforward_cancel_tcpip(struct ssh *ssh, |
4362 | const char *host, u_short port) |
4363 | { |
4364 | struct ssh_channels *sc = ssh->chanctxt; |
4365 | struct permission_set *pset = &sc->local_perms; |
4366 | int r; |
4367 | u_int i; |
4368 | struct permission *perm = NULL((void *)0); |
4369 | |
4370 | for (i = 0; i < pset->num_permitted_user; i++) { |
4371 | perm = &pset->permitted_user[i]; |
4372 | if (open_listen_match_tcpip(perm, host, port, 0)) |
4373 | break; |
4374 | perm = NULL((void *)0); |
4375 | } |
4376 | if (perm == NULL((void *)0)) { |
4377 | debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4377 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" ); |
4378 | return -1; |
4379 | } |
4380 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4381 | (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 || |
4382 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ |
4383 | (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 || |
4384 | (r = sshpkt_put_u32(ssh, port)) != 0 || |
4385 | (r = sshpkt_send(ssh)) != 0) |
4386 | fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4386 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel"); |
4387 | |
4388 | fwd_perm_clear(perm); /* unregister */ |
4389 | |
4390 | return 0; |
4391 | } |
4392 | |
4393 | /* |
4394 | * Request cancellation of remote forwarding of Unix domain socket |
4395 | * path from local side. |
4396 | */ |
4397 | static int |
4398 | channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path) |
4399 | { |
4400 | struct ssh_channels *sc = ssh->chanctxt; |
4401 | struct permission_set *pset = &sc->local_perms; |
4402 | int r; |
4403 | u_int i; |
4404 | struct permission *perm = NULL((void *)0); |
4405 | |
4406 | for (i = 0; i < pset->num_permitted_user; i++) { |
4407 | perm = &pset->permitted_user[i]; |
4408 | if (open_listen_match_streamlocal(perm, path)) |
4409 | break; |
4410 | perm = NULL((void *)0); |
4411 | } |
4412 | if (perm == NULL((void *)0)) { |
4413 | debug_f("requested forward not found")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4413 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not found" ); |
4414 | return -1; |
4415 | } |
4416 | if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST80)) != 0 || |
4417 | (r = sshpkt_put_cstring(ssh, |
4418 | "cancel-streamlocal-forward@openssh.com")) != 0 || |
4419 | (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ |
4420 | (r = sshpkt_put_cstring(ssh, path)) != 0 || |
4421 | (r = sshpkt_send(ssh)) != 0) |
4422 | fatal_fr(r, "send cancel")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4422 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send cancel"); |
4423 | |
4424 | fwd_perm_clear(perm); /* unregister */ |
4425 | |
4426 | return 0; |
4427 | } |
4428 | |
4429 | /* |
4430 | * Request cancellation of remote forwarding of a connection from local side. |
4431 | */ |
4432 | int |
4433 | channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd) |
4434 | { |
4435 | if (fwd->listen_path != NULL((void *)0)) { |
4436 | return channel_request_rforward_cancel_streamlocal(ssh, |
4437 | fwd->listen_path); |
4438 | } else { |
4439 | return channel_request_rforward_cancel_tcpip(ssh, |
4440 | fwd->listen_host, |
4441 | fwd->listen_port ? fwd->listen_port : fwd->allocated_port); |
4442 | } |
4443 | } |
4444 | |
4445 | /* |
4446 | * Permits opening to any host/port if permitted_user[] is empty. This is |
4447 | * usually called by the server, because the user could connect to any port |
4448 | * anyway, and the server has no way to know but to trust the client anyway. |
4449 | */ |
4450 | void |
4451 | channel_permit_all(struct ssh *ssh, int where) |
4452 | { |
4453 | struct permission_set *pset = permission_set_get(ssh, where); |
4454 | |
4455 | if (pset->num_permitted_user == 0) |
4456 | pset->all_permitted = 1; |
4457 | } |
4458 | |
4459 | /* |
4460 | * Permit the specified host/port for forwarding. |
4461 | */ |
4462 | void |
4463 | channel_add_permission(struct ssh *ssh, int who, int where, |
4464 | char *host, int port) |
4465 | { |
4466 | int local = where == FORWARD_LOCAL(1<<1); |
4467 | struct permission_set *pset = permission_set_get(ssh, where); |
4468 | |
4469 | debug("allow %s forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4470 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port) |
4470 | fwd_ident(who, where), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4470 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "allow %s forwarding to host %s port %d" , fwd_ident(who, where), host, port); |
4471 | /* |
4472 | * Remote forwards set listen_host/port, local forwards set |
4473 | * host/port_to_connect. |
4474 | */ |
4475 | permission_set_add(ssh, who, where, |
4476 | local ? host : 0, local ? port : 0, |
4477 | local ? NULL((void *)0) : host, NULL((void *)0), local ? 0 : port, NULL((void *)0)); |
4478 | pset->all_permitted = 0; |
4479 | } |
4480 | |
4481 | /* |
4482 | * Administratively disable forwarding. |
4483 | */ |
4484 | void |
4485 | channel_disable_admin(struct ssh *ssh, int where) |
4486 | { |
4487 | channel_clear_permission(ssh, FORWARD_ADM0x100, where); |
4488 | permission_set_add(ssh, FORWARD_ADM0x100, where, |
4489 | NULL((void *)0), 0, NULL((void *)0), NULL((void *)0), 0, NULL((void *)0)); |
4490 | } |
4491 | |
4492 | /* |
4493 | * Clear a list of permitted opens. |
4494 | */ |
4495 | void |
4496 | channel_clear_permission(struct ssh *ssh, int who, int where) |
4497 | { |
4498 | struct permission **permp; |
4499 | u_int *npermp; |
4500 | |
4501 | permission_set_get_array(ssh, who, where, &permp, &npermp); |
4502 | *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp)); |
4503 | *npermp = 0; |
4504 | } |
4505 | |
4506 | /* |
4507 | * Update the listen port for a dynamic remote forward, after |
4508 | * the actual 'newport' has been allocated. If 'newport' < 0 is |
4509 | * passed then they entry will be invalidated. |
4510 | */ |
4511 | void |
4512 | channel_update_permission(struct ssh *ssh, int idx, int newport) |
4513 | { |
4514 | struct permission_set *pset = &ssh->chanctxt->local_perms; |
4515 | |
4516 | if (idx < 0 || (u_int)idx >= pset->num_permitted_user) { |
4517 | debug_f("index out of range: %d num_permitted_user %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4518 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user) |
4518 | idx, pset->num_permitted_user)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4518 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "index out of range: %d num_permitted_user %d" , idx, pset->num_permitted_user); |
4519 | return; |
4520 | } |
4521 | debug("%s allowed port %d for forwarding to host %s port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4522 | newport > 0 ? "Updating" : "Removing",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4523 | newport,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4524 | pset->permitted_user[idx].host_to_connect,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect) |
4525 | pset->permitted_user[idx].port_to_connect)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4525 , 0, SYSLOG_LEVEL_DEBUG1, ((void *)0), "%s allowed port %d for forwarding to host %s port %d" , newport > 0 ? "Updating" : "Removing", newport, pset-> permitted_user[idx].host_to_connect, pset->permitted_user[ idx].port_to_connect); |
4526 | if (newport <= 0) |
4527 | fwd_perm_clear(&pset->permitted_user[idx]); |
4528 | else { |
4529 | pset->permitted_user[idx].listen_port = |
4530 | (ssh->compat & SSH_BUG_DYNAMIC_RPORT0x08000000) ? 0 : newport; |
4531 | } |
4532 | } |
4533 | |
4534 | /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ |
4535 | int |
4536 | permitopen_port(const char *p) |
4537 | { |
4538 | int port; |
4539 | |
4540 | if (strcmp(p, "*") == 0) |
4541 | return FWD_PERMIT_ANY_PORT0; |
4542 | if ((port = a2port(p)) > 0) |
4543 | return port; |
4544 | return -1; |
4545 | } |
4546 | |
4547 | /* Try to start non-blocking connect to next host in cctx list */ |
4548 | static int |
4549 | connect_next(struct channel_connect *cctx) |
4550 | { |
4551 | int sock, saved_errno; |
4552 | struct sockaddr_un *sunaddr; |
4553 | char ntop[NI_MAXHOST256]; |
4554 | char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))(((32) > (sizeof(sunaddr->sun_path))) ? (32) : (sizeof( sunaddr->sun_path)))]; |
4555 | |
4556 | for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { |
4557 | switch (cctx->ai->ai_family) { |
4558 | case AF_UNIX1: |
4559 | /* unix:pathname instead of host:port */ |
4560 | sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; |
4561 | strlcpy(ntop, "unix", sizeof(ntop)); |
4562 | strlcpy(strport, sunaddr->sun_path, sizeof(strport)); |
4563 | break; |
4564 | case AF_INET2: |
4565 | case AF_INET624: |
4566 | if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, |
4567 | ntop, sizeof(ntop), strport, sizeof(strport), |
4568 | NI_NUMERICHOST1|NI_NUMERICSERV2) != 0) { |
4569 | error_f("getnameinfo failed")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4569 , 1, SYSLOG_LEVEL_ERROR, ((void *)0), "getnameinfo failed"); |
4570 | continue; |
4571 | } |
4572 | break; |
4573 | default: |
4574 | continue; |
4575 | } |
4576 | debug_f("start for host %.100s ([%.100s]:%s)",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4577 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "start for host %.100s ([%.100s]:%s)" , cctx->host, ntop, strport) |
4577 | cctx->host, ntop, strport)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4577 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "start for host %.100s ([%.100s]:%s)" , cctx->host, ntop, strport); |
4578 | if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, |
4579 | cctx->ai->ai_protocol)) == -1) { |
4580 | if (cctx->ai->ai_next == NULL((void *)0)) |
4581 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4581 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4582 | else |
4583 | verbose("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4583 , 0, SYSLOG_LEVEL_VERBOSE, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
4584 | continue; |
4585 | } |
4586 | if (set_nonblock(sock) == -1) |
4587 | fatal_f("set_nonblock(%d)", sock)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4587 , 1, SYSLOG_LEVEL_FATAL, ((void *)0), "set_nonblock(%d)", sock ); |
4588 | if (connect(sock, cctx->ai->ai_addr, |
4589 | cctx->ai->ai_addrlen) == -1 && errno(*__errno()) != EINPROGRESS36) { |
4590 | debug_f("host %.100s ([%.100s]:%s): %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4591 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "host %.100s ([%.100s]:%s): %.100s" , cctx->host, ntop, strport, strerror((*__errno()))) |
4591 | cctx->host, ntop, strport, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4591 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "host %.100s ([%.100s]:%s): %.100s" , cctx->host, ntop, strport, strerror((*__errno()))); |
4592 | saved_errno = errno(*__errno()); |
4593 | close(sock); |
4594 | errno(*__errno()) = saved_errno; |
4595 | continue; /* fail -- try next */ |
4596 | } |
4597 | if (cctx->ai->ai_family != AF_UNIX1) |
4598 | set_nodelay(sock); |
4599 | debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4600 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect host %.100s ([%.100s]:%s) in progress, fd=%d" , cctx->host, ntop, strport, sock) |
4600 | cctx->host, ntop, strport, sock)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4600 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "connect host %.100s ([%.100s]:%s) in progress, fd=%d" , cctx->host, ntop, strport, sock); |
4601 | cctx->ai = cctx->ai->ai_next; |
4602 | return sock; |
4603 | } |
4604 | return -1; |
4605 | } |
4606 | |
4607 | static void |
4608 | channel_connect_ctx_free(struct channel_connect *cctx) |
4609 | { |
4610 | free(cctx->host); |
4611 | if (cctx->aitop) { |
4612 | if (cctx->aitop->ai_family == AF_UNIX1) |
4613 | free(cctx->aitop); |
4614 | else |
4615 | freeaddrinfo(cctx->aitop); |
4616 | } |
4617 | memset(cctx, 0, sizeof(*cctx)); |
4618 | } |
4619 | |
4620 | /* |
4621 | * Return connecting socket to remote host:port or local socket path, |
4622 | * passing back the failure reason if appropriate. |
4623 | */ |
4624 | static int |
4625 | connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, |
4626 | char *ctype, char *rname, struct channel_connect *cctx, |
4627 | int *reason, const char **errmsg) |
4628 | { |
4629 | struct addrinfo hints; |
4630 | int gaierr; |
4631 | int sock = -1; |
4632 | char strport[NI_MAXSERV32]; |
4633 | |
4634 | if (port == PORT_STREAMLOCAL-2) { |
4635 | struct sockaddr_un *sunaddr; |
4636 | struct addrinfo *ai; |
4637 | |
4638 | if (strlen(name) > sizeof(sunaddr->sun_path)) { |
4639 | error("%.100s: %.100s", name, strerror(ENAMETOOLONG))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4639 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: %.100s", name, strerror(63)); |
4640 | return -1; |
4641 | } |
4642 | |
4643 | /* |
4644 | * Fake up a struct addrinfo for AF_UNIX connections. |
4645 | * channel_connect_ctx_free() must check ai_family |
4646 | * and use free() not freeaddirinfo() for AF_UNIX. |
4647 | */ |
4648 | ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); |
4649 | memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); |
4650 | ai->ai_addr = (struct sockaddr *)(ai + 1); |
4651 | ai->ai_addrlen = sizeof(*sunaddr); |
4652 | ai->ai_family = AF_UNIX1; |
4653 | ai->ai_socktype = socktype; |
4654 | ai->ai_protocol = PF_UNSPEC0; |
4655 | sunaddr = (struct sockaddr_un *)ai->ai_addr; |
4656 | sunaddr->sun_family = AF_UNIX1; |
4657 | strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); |
4658 | cctx->aitop = ai; |
4659 | } else { |
4660 | memset(&hints, 0, sizeof(hints)); |
4661 | hints.ai_family = ssh->chanctxt->IPv4or6; |
4662 | hints.ai_socktype = socktype; |
4663 | snprintf(strport, sizeof strport, "%d", port); |
4664 | if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) |
4665 | != 0) { |
4666 | if (errmsg != NULL((void *)0)) |
4667 | *errmsg = ssh_gai_strerror(gaierr); |
4668 | if (reason != NULL((void *)0)) |
4669 | *reason = SSH2_OPEN_CONNECT_FAILED2; |
4670 | error("connect_to %.100s: unknown host (%s)", name,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4671 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr)) |
4671 | ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4671 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect_to %.100s: unknown host (%s)" , name, ssh_gai_strerror(gaierr)); |
4672 | return -1; |
4673 | } |
4674 | } |
4675 | |
4676 | cctx->host = xstrdup(name); |
4677 | cctx->port = port; |
4678 | cctx->ai = cctx->aitop; |
4679 | |
4680 | if ((sock = connect_next(cctx)) == -1) { |
4681 | error("connect to %.100s port %d failed: %s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4682 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect to %.100s port %d failed: %s" , name, port, strerror((*__errno()))) |
4682 | name, port, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4682 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect to %.100s port %d failed: %s" , name, port, strerror((*__errno()))); |
4683 | return -1; |
4684 | } |
4685 | |
4686 | return sock; |
4687 | } |
4688 | |
4689 | /* Return CONNECTING channel to remote host:port or local socket path */ |
4690 | static Channel * |
4691 | connect_to(struct ssh *ssh, const char *host, int port, |
4692 | char *ctype, char *rname) |
4693 | { |
4694 | struct channel_connect cctx; |
4695 | Channel *c; |
4696 | int sock; |
4697 | |
4698 | memset(&cctx, 0, sizeof(cctx)); |
4699 | sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname, |
4700 | &cctx, NULL((void *)0), NULL((void *)0)); |
4701 | if (sock == -1) { |
4702 | channel_connect_ctx_free(&cctx); |
4703 | return NULL((void *)0); |
4704 | } |
4705 | c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1, |
4706 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4707 | c->host_port = port; |
4708 | c->path = xstrdup(host); |
4709 | c->connect_ctx = cctx; |
4710 | |
4711 | return c; |
4712 | } |
4713 | |
4714 | /* |
4715 | * returns either the newly connected channel or the downstream channel |
4716 | * that needs to deal with this connection. |
4717 | */ |
4718 | Channel * |
4719 | channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, |
4720 | u_short listen_port, char *ctype, char *rname) |
4721 | { |
4722 | struct ssh_channels *sc = ssh->chanctxt; |
4723 | struct permission_set *pset = &sc->local_perms; |
4724 | u_int i; |
4725 | struct permission *perm; |
4726 | |
4727 | for (i = 0; i < pset->num_permitted_user; i++) { |
4728 | perm = &pset->permitted_user[i]; |
4729 | if (open_listen_match_tcpip(perm, |
4730 | listen_host, listen_port, 1)) { |
4731 | if (perm->downstream) |
4732 | return perm->downstream; |
4733 | if (perm->port_to_connect == 0) |
4734 | return rdynamic_connect_prepare(ssh, |
4735 | ctype, rname); |
4736 | return connect_to(ssh, |
4737 | perm->host_to_connect, perm->port_to_connect, |
4738 | ctype, rname); |
4739 | } |
4740 | } |
4741 | error("WARNING: Server requests forwarding for unknown listen_port %d",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4742 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port) |
4742 | listen_port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4742 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown listen_port %d" , listen_port); |
4743 | return NULL((void *)0); |
4744 | } |
4745 | |
4746 | Channel * |
4747 | channel_connect_by_listen_path(struct ssh *ssh, const char *path, |
4748 | char *ctype, char *rname) |
4749 | { |
4750 | struct ssh_channels *sc = ssh->chanctxt; |
4751 | struct permission_set *pset = &sc->local_perms; |
4752 | u_int i; |
4753 | struct permission *perm; |
4754 | |
4755 | for (i = 0; i < pset->num_permitted_user; i++) { |
4756 | perm = &pset->permitted_user[i]; |
4757 | if (open_listen_match_streamlocal(perm, path)) { |
4758 | return connect_to(ssh, |
4759 | perm->host_to_connect, perm->port_to_connect, |
4760 | ctype, rname); |
4761 | } |
4762 | } |
4763 | error("WARNING: Server requests forwarding for unknown path %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4764 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path) |
4764 | path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4764 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "WARNING: Server requests forwarding for unknown path %.100s" , path); |
4765 | return NULL((void *)0); |
4766 | } |
4767 | |
4768 | /* Check if connecting to that port is permitted and connect. */ |
4769 | Channel * |
4770 | channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, |
4771 | char *ctype, char *rname, int *reason, const char **errmsg) |
4772 | { |
4773 | struct ssh_channels *sc = ssh->chanctxt; |
4774 | struct permission_set *pset = &sc->local_perms; |
4775 | struct channel_connect cctx; |
4776 | Channel *c; |
4777 | u_int i, permit, permit_adm = 1; |
4778 | int sock; |
4779 | struct permission *perm; |
4780 | |
4781 | permit = pset->all_permitted; |
4782 | if (!permit) { |
4783 | for (i = 0; i < pset->num_permitted_user; i++) { |
4784 | perm = &pset->permitted_user[i]; |
4785 | if (open_match(perm, host, port)) { |
4786 | permit = 1; |
4787 | break; |
4788 | } |
4789 | } |
4790 | } |
4791 | |
4792 | if (pset->num_permitted_admin > 0) { |
4793 | permit_adm = 0; |
4794 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4795 | perm = &pset->permitted_admin[i]; |
4796 | if (open_match(perm, host, port)) { |
4797 | permit_adm = 1; |
4798 | break; |
4799 | } |
4800 | } |
4801 | } |
4802 | |
4803 | if (!permit || !permit_adm) { |
4804 | logit("Received request from %.100s port %d to connect to "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port) |
4805 | "host %.100s port %d, but the request was denied.",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port) |
4806 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4806 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request from %.100s port %d to connect to " "host %.100s port %d, but the request was denied.", ssh_remote_ipaddr (ssh), ssh_remote_port(ssh), host, port); |
4807 | if (reason != NULL((void *)0)) |
4808 | *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED1; |
4809 | return NULL((void *)0); |
4810 | } |
4811 | |
4812 | memset(&cctx, 0, sizeof(cctx)); |
4813 | sock = connect_to_helper(ssh, host, port, SOCK_STREAM1, ctype, rname, |
4814 | &cctx, reason, errmsg); |
4815 | if (sock == -1) { |
4816 | channel_connect_ctx_free(&cctx); |
4817 | return NULL((void *)0); |
4818 | } |
4819 | |
4820 | c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING12, sock, sock, -1, |
4821 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4822 | c->host_port = port; |
4823 | c->path = xstrdup(host); |
4824 | c->connect_ctx = cctx; |
4825 | |
4826 | return c; |
4827 | } |
4828 | |
4829 | /* Check if connecting to that path is permitted and connect. */ |
4830 | Channel * |
4831 | channel_connect_to_path(struct ssh *ssh, const char *path, |
4832 | char *ctype, char *rname) |
4833 | { |
4834 | struct ssh_channels *sc = ssh->chanctxt; |
4835 | struct permission_set *pset = &sc->local_perms; |
4836 | u_int i, permit, permit_adm = 1; |
4837 | struct permission *perm; |
4838 | |
4839 | permit = pset->all_permitted; |
4840 | if (!permit) { |
4841 | for (i = 0; i < pset->num_permitted_user; i++) { |
4842 | perm = &pset->permitted_user[i]; |
4843 | if (open_match(perm, path, PORT_STREAMLOCAL-2)) { |
4844 | permit = 1; |
4845 | break; |
4846 | } |
4847 | } |
4848 | } |
4849 | |
4850 | if (pset->num_permitted_admin > 0) { |
4851 | permit_adm = 0; |
4852 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4853 | perm = &pset->permitted_admin[i]; |
4854 | if (open_match(perm, path, PORT_STREAMLOCAL-2)) { |
4855 | permit_adm = 1; |
4856 | break; |
4857 | } |
4858 | } |
4859 | } |
4860 | |
4861 | if (!permit || !permit_adm) { |
4862 | logit("Received request to connect to path %.100s, "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4863 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path) |
4863 | "but the request was denied.", path)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4863 , 0, SYSLOG_LEVEL_INFO, ((void *)0), "Received request to connect to path %.100s, " "but the request was denied.", path); |
4864 | return NULL((void *)0); |
4865 | } |
4866 | return connect_to(ssh, path, PORT_STREAMLOCAL-2, ctype, rname); |
4867 | } |
4868 | |
4869 | void |
4870 | channel_send_window_changes(struct ssh *ssh) |
4871 | { |
4872 | struct ssh_channels *sc = ssh->chanctxt; |
4873 | struct winsize ws; |
4874 | int r; |
4875 | u_int i; |
4876 | |
4877 | for (i = 0; i < sc->channels_alloc; i++) { |
4878 | if (sc->channels[i] == NULL((void *)0) || !sc->channels[i]->client_tty || |
4879 | sc->channels[i]->type != SSH_CHANNEL_OPEN4) |
4880 | continue; |
4881 | if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ((unsigned long)0x40000000 | ((sizeof(struct winsize) & 0x1fff ) << 16) | ((('t')) << 8) | ((104))), &ws) == -1) |
4882 | continue; |
4883 | channel_request_start(ssh, i, "window-change", 0); |
4884 | if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || |
4885 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || |
4886 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || |
4887 | (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 || |
4888 | (r = sshpkt_send(ssh)) != 0) |
4889 | fatal_fr(r, "channel %u; send window-change", i)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4889 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %u; send window-change" , i); |
4890 | } |
4891 | } |
4892 | |
4893 | /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ |
4894 | static Channel * |
4895 | rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) |
4896 | { |
4897 | Channel *c; |
4898 | int r; |
4899 | |
4900 | c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN21, -1, -1, -1, |
4901 | CHAN_TCP_WINDOW_DEFAULT(64*(32*1024)), CHAN_TCP_PACKET_DEFAULT(32*1024), 0, rname, 1); |
4902 | c->host_port = 0; |
4903 | c->path = NULL((void *)0); |
4904 | |
4905 | /* |
4906 | * We need to open the channel before we have a FD, |
4907 | * so that we can get SOCKS header from peer. |
4908 | */ |
4909 | if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION91)) != 0 || |
4910 | (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
4911 | (r = sshpkt_put_u32(ssh, c->self)) != 0 || |
4912 | (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || |
4913 | (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) |
4914 | fatal_fr(r, "channel %i; confirm", c->self)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4914 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "channel %i; confirm", c ->self); |
4915 | return c; |
4916 | } |
4917 | |
4918 | /* Return CONNECTING socket to remote host:port or local socket path */ |
4919 | static int |
4920 | rdynamic_connect_finish(struct ssh *ssh, Channel *c) |
4921 | { |
4922 | struct ssh_channels *sc = ssh->chanctxt; |
4923 | struct permission_set *pset = &sc->local_perms; |
4924 | struct permission *perm; |
4925 | struct channel_connect cctx; |
4926 | u_int i, permit_adm = 1; |
4927 | int sock; |
4928 | |
4929 | if (pset->num_permitted_admin > 0) { |
4930 | permit_adm = 0; |
4931 | for (i = 0; i < pset->num_permitted_admin; i++) { |
4932 | perm = &pset->permitted_admin[i]; |
4933 | if (open_match(perm, c->path, c->host_port)) { |
4934 | permit_adm = 1; |
4935 | break; |
4936 | } |
4937 | } |
4938 | } |
4939 | if (!permit_adm) { |
4940 | debug_f("requested forward not permitted")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4940 , 1, SYSLOG_LEVEL_DEBUG1, ((void *)0), "requested forward not permitted" ); |
4941 | return -1; |
4942 | } |
4943 | |
4944 | memset(&cctx, 0, sizeof(cctx)); |
4945 | sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM1, NULL((void *)0), |
4946 | NULL((void *)0), &cctx, NULL((void *)0), NULL((void *)0)); |
4947 | if (sock == -1) |
4948 | channel_connect_ctx_free(&cctx); |
4949 | else { |
4950 | /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ |
4951 | c->type = SSH_CHANNEL_RDYNAMIC_FINISH22; |
4952 | c->connect_ctx = cctx; |
4953 | channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); |
4954 | } |
4955 | return sock; |
4956 | } |
4957 | |
4958 | /* -- X11 forwarding */ |
4959 | |
4960 | /* |
4961 | * Creates an internet domain socket for listening for X11 connections. |
4962 | * Returns 0 and a suitable display number for the DISPLAY variable |
4963 | * stored in display_numberp , or -1 if an error occurs. |
4964 | */ |
4965 | int |
4966 | x11_create_display_inet(struct ssh *ssh, int x11_display_offset, |
4967 | int x11_use_localhost, int single_connection, |
4968 | u_int *display_numberp, int **chanids) |
4969 | { |
4970 | Channel *nc = NULL((void *)0); |
4971 | int display_number, sock; |
4972 | u_short port; |
4973 | struct addrinfo hints, *ai, *aitop; |
4974 | char strport[NI_MAXSERV32]; |
4975 | int gaierr, n, num_socks = 0, socks[NUM_SOCKS10]; |
4976 | |
4977 | if (chanids == NULL((void *)0)) |
4978 | return -1; |
4979 | |
4980 | for (display_number = x11_display_offset; |
4981 | display_number < MAX_DISPLAYS1000; |
4982 | display_number++) { |
4983 | port = 6000 + display_number; |
4984 | memset(&hints, 0, sizeof(hints)); |
4985 | hints.ai_family = ssh->chanctxt->IPv4or6; |
4986 | hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE1; |
4987 | hints.ai_socktype = SOCK_STREAM1; |
4988 | snprintf(strport, sizeof strport, "%d", port); |
4989 | if ((gaierr = getaddrinfo(NULL((void *)0), strport, |
4990 | &hints, &aitop)) != 0) { |
4991 | error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 4991 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "getaddrinfo: %.100s", ssh_gai_strerror (gaierr)); |
4992 | return -1; |
4993 | } |
4994 | for (ai = aitop; ai; ai = ai->ai_next) { |
4995 | if (ai->ai_family != AF_INET2 && |
4996 | ai->ai_family != AF_INET624) |
4997 | continue; |
4998 | sock = socket(ai->ai_family, ai->ai_socktype, |
4999 | ai->ai_protocol); |
5000 | if (sock == -1) { |
5001 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5001 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
5002 | freeaddrinfo(aitop); |
5003 | return -1; |
5004 | } |
5005 | set_reuseaddr(sock); |
5006 | if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
5007 | debug2_f("bind port %d: %.100s", port,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5008 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "bind port %d: %.100s" , port, strerror((*__errno()))) |
5008 | strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5008 , 1, SYSLOG_LEVEL_DEBUG2, ((void *)0), "bind port %d: %.100s" , port, strerror((*__errno()))); |
5009 | close(sock); |
5010 | for (n = 0; n < num_socks; n++) |
5011 | close(socks[n]); |
5012 | num_socks = 0; |
5013 | break; |
5014 | } |
5015 | socks[num_socks++] = sock; |
5016 | if (num_socks == NUM_SOCKS10) |
5017 | break; |
5018 | } |
5019 | freeaddrinfo(aitop); |
5020 | if (num_socks > 0) |
5021 | break; |
5022 | } |
5023 | if (display_number >= MAX_DISPLAYS1000) { |
5024 | error("Failed to allocate internet-domain X11 display socket.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5024 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Failed to allocate internet-domain X11 display socket." ); |
5025 | return -1; |
5026 | } |
5027 | /* Start listening for connections on the socket. */ |
5028 | for (n = 0; n < num_socks; n++) { |
5029 | sock = socks[n]; |
5030 | if (listen(sock, SSH_LISTEN_BACKLOG128) == -1) { |
5031 | error("listen: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5031 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "listen: %.100s", strerror ((*__errno()))); |
5032 | close(sock); |
5033 | return -1; |
5034 | } |
5035 | } |
5036 | |
5037 | /* Allocate a channel for each socket. */ |
5038 | *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); |
5039 | for (n = 0; n < num_socks; n++) { |
5040 | sock = socks[n]; |
5041 | nc = channel_new(ssh, "x11-listener", |
5042 | SSH_CHANNEL_X11_LISTENER1, sock, sock, -1, |
5043 | CHAN_X11_WINDOW_DEFAULT(4*(16*1024)), CHAN_X11_PACKET_DEFAULT(16*1024), |
5044 | 0, "X11 inet listener", 1); |
5045 | nc->single_connection = single_connection; |
5046 | (*chanids)[n] = nc->self; |
5047 | } |
5048 | (*chanids)[n] = -1; |
5049 | |
5050 | /* Return the display number for the DISPLAY environment variable. */ |
5051 | *display_numberp = display_number; |
5052 | return 0; |
5053 | } |
5054 | |
5055 | static int |
5056 | connect_local_xsocket(u_int dnr) |
5057 | { |
5058 | int sock; |
5059 | struct sockaddr_un addr; |
5060 | |
5061 | sock = socket(AF_UNIX1, SOCK_STREAM1, 0); |
5062 | if (sock == -1) |
5063 | error("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5063 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
5064 | memset(&addr, 0, sizeof(addr)); |
5065 | addr.sun_family = AF_UNIX1; |
5066 | snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X"/tmp/.X11-unix/X%u", dnr); |
5067 | if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) |
5068 | return sock; |
5069 | close(sock); |
5070 | error("connect %.100s: %.100s", addr.sun_path, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5070 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s: %.100s" , addr.sun_path, strerror((*__errno()))); |
5071 | return -1; |
5072 | } |
5073 | |
5074 | int |
5075 | x11_connect_display(struct ssh *ssh) |
5076 | { |
5077 | u_int display_number; |
5078 | const char *display; |
5079 | char buf[1024], *cp; |
5080 | struct addrinfo hints, *ai, *aitop; |
5081 | char strport[NI_MAXSERV32]; |
5082 | int gaierr, sock = 0; |
5083 | |
5084 | /* Try to open a socket for the local X server. */ |
5085 | display = getenv("DISPLAY"); |
5086 | if (!display) { |
5087 | error("DISPLAY not set.")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5087 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "DISPLAY not set."); |
5088 | return -1; |
5089 | } |
5090 | /* |
5091 | * Now we decode the value of the DISPLAY variable and make a |
5092 | * connection to the real X server. |
5093 | */ |
5094 | |
5095 | /* |
5096 | * Check if it is a unix domain socket. Unix domain displays are in |
5097 | * one of the following formats: unix:d[.s], :d[.s], ::d[.s] |
5098 | */ |
5099 | if (strncmp(display, "unix:", 5) == 0 || |
5100 | display[0] == ':') { |
5101 | /* Connect to the unix domain socket. */ |
5102 | if (sscanf(strrchr(display, ':') + 1, "%u", |
5103 | &display_number) != 1) { |
5104 | error("Could not parse display number from DISPLAY: "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5105 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display) |
5105 | "%.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5105 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: " "%.100s", display); |
5106 | return -1; |
5107 | } |
5108 | /* Create a socket. */ |
5109 | sock = connect_local_xsocket(display_number); |
5110 | if (sock < 0) |
5111 | return -1; |
5112 | |
5113 | /* OK, we now have a connection to the display. */ |
5114 | return sock; |
5115 | } |
5116 | /* |
5117 | * Connect to an inet socket. The DISPLAY value is supposedly |
5118 | * hostname:d[.s], where hostname may also be numeric IP address. |
5119 | */ |
5120 | strlcpy(buf, display, sizeof(buf)); |
5121 | cp = strchr(buf, ':'); |
5122 | if (!cp) { |
5123 | error("Could not find ':' in DISPLAY: %.100s", display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5123 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not find ':' in DISPLAY: %.100s" , display); |
5124 | return -1; |
5125 | } |
5126 | *cp = 0; |
5127 | /* |
5128 | * buf now contains the host name. But first we parse the |
5129 | * display number. |
5130 | */ |
5131 | if (sscanf(cp + 1, "%u", &display_number) != 1) { |
5132 | error("Could not parse display number from DISPLAY: %.100s",sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5133 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display) |
5133 | display)sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5133 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "Could not parse display number from DISPLAY: %.100s" , display); |
5134 | return -1; |
5135 | } |
5136 | |
5137 | /* Look up the host address */ |
5138 | memset(&hints, 0, sizeof(hints)); |
5139 | hints.ai_family = ssh->chanctxt->IPv4or6; |
5140 | hints.ai_socktype = SOCK_STREAM1; |
5141 | snprintf(strport, sizeof strport, "%u", 6000 + display_number); |
5142 | if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { |
5143 | error("%.100s: unknown host. (%s)", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5144 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr)) |
5144 | ssh_gai_strerror(gaierr))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5144 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "%.100s: unknown host. (%s)" , buf, ssh_gai_strerror(gaierr)); |
5145 | return -1; |
5146 | } |
5147 | for (ai = aitop; ai; ai = ai->ai_next) { |
5148 | /* Create a socket. */ |
5149 | sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); |
5150 | if (sock == -1) { |
5151 | debug2("socket: %.100s", strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5151 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "socket: %.100s", strerror ((*__errno()))); |
5152 | continue; |
5153 | } |
5154 | /* Connect it to the display. */ |
5155 | if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
5156 | debug2("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5157 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))) |
5157 | 6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5157 , 0, SYSLOG_LEVEL_DEBUG2, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))); |
5158 | close(sock); |
5159 | continue; |
5160 | } |
5161 | /* Success */ |
5162 | break; |
5163 | } |
5164 | freeaddrinfo(aitop); |
5165 | if (!ai) { |
5166 | error("connect %.100s port %u: %.100s", buf,sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5167 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))) |
5167 | 6000 + display_number, strerror(errno))sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5167 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "connect %.100s port %u: %.100s" , buf, 6000 + display_number, strerror((*__errno()))); |
5168 | return -1; |
5169 | } |
5170 | set_nodelay(sock); |
5171 | return sock; |
5172 | } |
5173 | |
5174 | /* |
5175 | * Requests forwarding of X11 connections, generates fake authentication |
5176 | * data, and enables authentication spoofing. |
5177 | * This should be called in the client only. |
5178 | */ |
5179 | void |
5180 | x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, |
5181 | const char *disp, const char *proto, const char *data, int want_reply) |
5182 | { |
5183 | struct ssh_channels *sc = ssh->chanctxt; |
5184 | u_int data_len = (u_int) strlen(data) / 2; |
5185 | u_int i, value; |
5186 | const char *cp; |
5187 | char *new_data; |
5188 | int r, screen_number; |
5189 | |
5190 | if (sc->x11_saved_display == NULL((void *)0)) |
5191 | sc->x11_saved_display = xstrdup(disp); |
5192 | else if (strcmp(disp, sc->x11_saved_display) != 0) { |
5193 | error("x11_request_forwarding_with_spoofing: different "sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5194 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded") |
5194 | "$DISPLAY already forwarded")sshlog("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5194 , 0, SYSLOG_LEVEL_ERROR, ((void *)0), "x11_request_forwarding_with_spoofing: different " "$DISPLAY already forwarded"); |
5195 | return; |
5196 | } |
5197 | |
5198 | cp = strchr(disp, ':'); |
5199 | if (cp) |
5200 | cp = strchr(cp, '.'); |
5201 | if (cp) |
5202 | screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL((void *)0)); |
5203 | else |
5204 | screen_number = 0; |
5205 | |
5206 | if (sc->x11_saved_proto == NULL((void *)0)) { |
5207 | /* Save protocol name. */ |
5208 | sc->x11_saved_proto = xstrdup(proto); |
5209 | |
5210 | /* Extract real authentication data. */ |
5211 | sc->x11_saved_data = xmalloc(data_len); |
5212 | for (i = 0; i < data_len; i++) { |
5213 | if (sscanf(data + 2 * i, "%2x", &value) != 1) { |
5214 | fatal("x11_request_forwarding: bad "sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5215 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data) |
5215 | "authentication data: %.100s", data)sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5215 , 0, SYSLOG_LEVEL_FATAL, ((void *)0), "x11_request_forwarding: bad " "authentication data: %.100s", data); |
5216 | } |
5217 | sc->x11_saved_data[i] = value; |
5218 | } |
5219 | sc->x11_saved_data_len = data_len; |
5220 | |
5221 | /* Generate fake data of the same length. */ |
5222 | sc->x11_fake_data = xmalloc(data_len); |
5223 | arc4random_buf(sc->x11_fake_data, data_len); |
5224 | sc->x11_fake_data_len = data_len; |
5225 | } |
5226 | |
5227 | /* Convert the fake data into hex. */ |
5228 | new_data = tohex(sc->x11_fake_data, data_len); |
5229 | |
5230 | /* Send the request packet. */ |
5231 | channel_request_start(ssh, client_session_id, "x11-req", want_reply); |
5232 | if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */ |
5233 | (r = sshpkt_put_cstring(ssh, proto)) != 0 || |
5234 | (r = sshpkt_put_cstring(ssh, new_data)) != 0 || |
5235 | (r = sshpkt_put_u32(ssh, screen_number)) != 0 || |
5236 | (r = sshpkt_send(ssh)) != 0 || |
5237 | (r = ssh_packet_write_wait(ssh)) != 0) |
5238 | fatal_fr(r, "send x11-req")sshfatal("/usr/src/usr.bin/ssh/ssh/../channels.c", __func__, 5238 , 1, SYSLOG_LEVEL_FATAL, ssh_err(r), "send x11-req"); |
5239 | free(new_data); |
5240 | } |