dropbear: common-channel.c comparison

comparison common-channel.c @ 707:564e7f87ecc3

Fix memory leak when direct TCP connections time out on connection. Long-standing bug probably stemming from the awkwardly named delete_channel() versus remove_channel()

author	Matt Johnston <matt@ucc.asn.au>
date	Tue, 19 Mar 2013 23:54:32 +0800
parents	c519b78b6d1a
children	abd99ecd7ec2

comparison

equal deleted inserted replaced

-:002cf09827c0
+:564e7f87ecc3
 		unsigned int incr);
 static void send_msg_channel_data(struct Channel *channel, int isextended);
 static void send_msg_channel_eof(struct Channel *channel);
 static void send_msg_channel_close(struct Channel *channel);
 static void remove_channel(struct Channel *channel);
-static void delete_channel(struct Channel *channel);
 static void check_in_progress(struct Channel *channel);
 static unsigned int write_pending(struct Channel * channel);
 static void check_close(struct Channel *channel);
 static void close_chan_fd(struct Channel *channel, int fd, int how);
 	}
 	m_free(ses.channels);
 	TRACE(("leave chancleanup"))
 }
+static void
+chan_initwritebuf(struct Channel *channel)
+{
+	dropbear_assert(channel->writebuf == NULL && channel->recvwindow == 0);
+	channel->writebuf = cbuf_new(opts.recv_window);
+	channel->recvwindow = opts.recv_window;
+}
 /* Create a new channel entry, send a reply confirm or failure */
 /* If remotechan, transwindow and transmaxpacket are not know (for a new
 * outgoing connection, with them to be filled on confirmation), they should
 * all be set to 0 */
-struct Channel* newchannel(unsigned int remotechan,
+static struct Channel* newchannel(unsigned int remotechan,
 		const struct ChanType *type,
 		unsigned int transwindow, unsigned int transmaxpacket) {
 	struct Channel * newchan;
 	unsigned int i, j;
 	newchan->errfd = FD_CLOSED; /* this isn't always set to start with */
 	newchan->initconn = 0;
 	newchan->await_open = 0;
 	newchan->flushing = 0;
-	newchan->writebuf = cbuf_new(opts.recv_window);
+	newchan->writebuf = NULL;
+	newchan->recvwindow = 0;
 	newchan->extrabuf = NULL; /* The user code can set it up */
-	newchan->recvwindow = opts.recv_window;
 	newchan->recvdonelen = 0;
 	newchan->recvmaxpacket = RECV_MAX_PAYLOAD_LEN;
 	ses.channels[i] = newchan;
 	ses.chancount++;
 				/* XXX should this go somewhere cleaner? */
 				check_in_progress(channel);
 				continue; /* Important not to use the channel after
 							 check_in_progress(), as it may be NULL */
 			}
+			dropbear_assert(channel->writebuf);
 			writechannel(channel, channel->writefd, channel->writebuf);
 		}
 		/* stderr for client mode */
 		if (ERRFD_IS_WRITE(channel)
 /* Returns true if there is data remaining to be written to stdin or
 * stderr of a channel's endpoint. */
 static unsigned int write_pending(struct Channel * channel) {
-	if (channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0) {
+	if (channel->writefd >= 0
+			&& channel->writebuf
+			&& cbuf_getused(channel->writebuf) > 0) {
 		return 1;
 	} else if (channel->errfd >= 0 && channel->extrabuf &&
 			cbuf_getused(channel->extrabuf) > 0) {
 		return 1;
 	}
 	TRACE(("check_close: writefd %d, readfd %d, errfd %d, sent_close %d, recv_close %d",
 				channel->writefd, channel->readfd,
 				channel->errfd, channel->sent_close, channel->recv_close))
 	TRACE(("writebuf size %d extrabuf size %d",
-				cbuf_getused(channel->writebuf),
+				channel->writebuf ? cbuf_getused(channel->writebuf) : 0,
 				channel->extrabuf ? cbuf_getused(channel->extrabuf) : 0))
 	if (!channel->flushing
 		&& !channel->close_handler_done
 		&& channel->type->check_close
 	if (getsockopt(channel->writefd, SOL_SOCKET, SO_ERROR, &val, &vallen)
 			|| val != 0) {
 		send_msg_channel_open_failure(channel->remotechan,
 				SSH_OPEN_CONNECT_FAILED, "", "");
 		close(channel->writefd);
-		delete_channel(channel);
+		remove_channel(channel);
 		TRACE(("leave check_in_progress: fail"))
 	} else {
+		chan_initwritebuf(channel);
 		send_msg_channel_open_confirmation(channel, channel->recvwindow,
 				channel->recvmaxpacket);
 		channel->readfd = channel->writefd;
 		channel->initconn = 0;
 		TRACE(("leave check_in_progress: success"))
 		channel->recvwindow += channel->recvdonelen;
 		channel->recvdonelen = 0;
 	}
 	dropbear_assert(channel->recvwindow <= opts.recv_window);
-	dropbear_assert(channel->recvwindow <= cbuf_getavail(channel->writebuf));
+	dropbear_assert(channel->writebuf == NULL ||
+			channel->recvwindow <= cbuf_getavail(channel->writebuf));
 	dropbear_assert(channel->extrabuf == NULL ||
 			channel->recvwindow <= cbuf_getavail(channel->extrabuf));
 	TRACE(("leave writechannel"))
 }
 					FD_SET(channel->errfd, readfds);
 			}
 		}
 		/* Stuff from the wire */
-		if ((channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0 )
+		if (channel->initconn
-				|| channel->initconn) {
+			||(channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0)) {
 				FD_SET(channel->writefd, writefds);
 		}
 		if (ERRFD_IS_WRITE(channel) && channel->errfd >= 0
-				&& cbuf_getused(channel->extrabuf) > 0 ) {
+				&& cbuf_getused(channel->extrabuf) > 0) {
 				FD_SET(channel->errfd, writefds);
 		}
 	} /* foreach channel */
 static void remove_channel(struct Channel * channel) {
 	TRACE(("enter remove_channel"))
 	TRACE(("channel index is %d", channel->index))
-	cbuf_free(channel->writebuf);
+	if (channel->writebuf) {
-	channel->writebuf = NULL;
+		cbuf_free(channel->writebuf);
+		channel->writebuf = NULL;
+	}
 	if (channel->extrabuf) {
 		cbuf_free(channel->extrabuf);
 		channel->extrabuf = NULL;
 	}
 	TRACE(("CLOSE errfd %d", channel->errfd))
 	close(channel->errfd);
 	channel->typedata = NULL;
-	delete_channel(channel);
-	TRACE(("leave remove_channel"))
-}
-/* Remove a channel entry */
-static void delete_channel(struct Channel *channel) {
 	ses.channels[channel->index] = NULL;
 	m_free(channel);
 	ses.chancount--;
-}
+	TRACE(("leave remove_channel"))
+}
 /* Handle channel specific requests, passing off to corresponding handlers
 * such as chansession or x11fwd */
 void recv_msg_channel_request() {
 	if (channel->recv_eof) {
 		dropbear_exit("Received data after eof");
 	}
-	if (fd < 0) {
+	if (fd < 0 || !cbuf) {
 		/* If we have encountered failed write, the far side might still
 		 * be sending data without having yet received our close notification.
 		 * We just drop the data. */
 		return;
 	}
 			/* We'll send the confirmation later */
 			goto cleanup;
 		}
 		if (ret > 0) {
 			errtype = ret;
-			delete_channel(channel);
+			remove_channel(channel);
 			TRACE(("inithandler returned failure %d", ret))
 			goto failure;
 		}
 	}
+	chan_initwritebuf(channel);
 	/* success */
 	send_msg_channel_open_confirmation(channel, channel->recvwindow,
 			channel->recvmaxpacket);
 	goto cleanup;
 	if (!chan) {
 		TRACE(("leave send_msg_channel_open_init() - FAILED in newchannel()"))
 		return DROPBEAR_FAILURE;
 	}
+	/* Outbound opened channels don't make use of in-progress connections,
+	 * we can set it up straight away */
+	chan_initwritebuf(chan);
 	/* set fd non-blocking */
 	setnonblocking(fd);
 	chan->writefd = chan->readfd = fd;
 	ses.maxfd = MAX(ses.maxfd, fd);

Mercurial > dropbear

comparison common-channel.c @ 707:564e7f87ecc3