Revision: 8599 https://osdn.net/projects/ttssh2/scm/svn/commits/8599 Author: doda Date: 2020-03-17 00:19:23 +0900 (Tue, 17 Mar 2020) Log Message: ----------- チャネル関連のメッセージ送信前にリモートのチャネル番号のチェックを追加した。 Ticket: #40225, #40226 問題: SSH接続で認証直後にウィンドウサイズを変更、またはSend Breakを実行すると 切断される。 原因: SSH_MSG_CHANNEL_REQUEST で remote id に不正な値をセットして送っていた。 対処: チャネル関連のメッセージを送信する時に remote id の値をチェックする ようにした。 Ticket Links: ------------ https://osdn.net/projects/ttssh2/tracker/detail/40225 https://osdn.net/projects/ttssh2/tracker/detail/40226 Modified Paths: -------------- trunk/ttssh2/ttxssh/ssh.c trunk/ttssh2/ttxssh/ttxssh.h -------------- next part -------------- Modified: trunk/ttssh2/ttxssh/ssh.c =================================================================== --- trunk/ttssh2/ttxssh/ssh.c 2020-03-15 15:24:18 UTC (rev 8598) +++ trunk/ttssh2/ttxssh/ssh.c 2020-03-16 15:19:23 UTC (rev 8599) @@ -314,7 +314,7 @@ memset(c, 0, sizeof(Channel_t)); c->used = 1; c->self_id = i; - c->remote_id = -1; + c->remote_id = SSH_CHANNEL_INVALID; c->local_window = window; c->local_window_max = window; c->local_consumed = 0; @@ -3155,11 +3155,16 @@ logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); return; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + // \x82\xB1\x82͔̏F\x8F؊\xAE\x97\xB9\x92\xBC\x8C\xE3\x82ɃE\x83B\x83\x93\x83h\x83E\x83T\x83C\x83Y\x82\xF0\x95ύX\x82\xB7\x82\xE9\x82Ɣ\xAD\x90\xB6\x82\xB7\x82\xE9\x81B + // \x82܂\xBE\x83V\x83F\x83\x8B\x82̃`\x83\x83\x83l\x83\x8B\x82ɑ\xB7\x82\xE9 SSH_MSG_OPEN_CONFIRMATION \x82\xF0\x8EĂ\xA2\x82Ȃ\xA2\x82̂ŁA + // \x91\x8A\x8E葤\x82̃`\x83\x83\x83l\x83\x8B\x94ԍ\x86\x82\xAA\x94\xBB\x82\xE7\x82Ȃ\xA2\x82̂\xC5 window-change \x83\x81\x83b\x83Z\x81[\x83W\x82͑\x97\x82\xE7\x82Ȃ\xA2\x81B + logprintf(LOG_LEVEL_WARNING, "%s: remote shell channel number is unknown.", __FUNCTION__); + return; + } - msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -3204,6 +3209,13 @@ logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); goto error; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + // \x94F\x8Fؒ\xBC\x8C\xE3\x82\xC9 send break \x82\xF0\x8Ds\x82\xA4\x82Ɣ\xAD\x90\xB6\x82\xB7\x82\xE9 + // \x82܂\xBE\x83V\x83F\x83\x8B\x82̃`\x83\x83\x83l\x83\x8B\x82ɑ\xB7\x82\xE9 SSH_MSG_OPEN_CONFIRMATION \x82\xF0\x8EĂ\xA2\x82Ȃ\xA2\x82̂ŁA + // \x91\x8A\x8E葤\x82̃`\x83\x83\x83l\x83\x8B\x94ԍ\x86\x82\xAA\x94\xBB\x82\xE7\x82Ȃ\xA2\x82̂\xC5 break \x83\x81\x83b\x83Z\x81[\x83W\x82͑\x97\x82\xE7\x82Ȃ\xA2\x81B + logprintf(LOG_LEVEL_WARNING, "%s: remote shell channel number is unknown.", __FUNCTION__); + goto error; + } msg = buffer_init(); if (msg == NULL) { @@ -3353,7 +3365,7 @@ } else { // for SSH2(yutaka) Channel_t *c = ssh2_channel_lookup(pvar->shell_id); - if (c == NULL) { + if (c == NULL || c->remote_id == SSH_CHANNEL_INVALID) { logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); } else { @@ -3566,7 +3578,6 @@ pvar->session_id_len = 0; pvar->userauth_success = 0; - //pvar->remote_id = 0; pvar->shell_id = SSH_CHANNEL_INVALID; pvar->session_nego_status = 0; @@ -3646,7 +3657,6 @@ if (buflen > 0) { msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -3775,7 +3785,6 @@ msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -3854,7 +3863,6 @@ msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -4023,7 +4031,6 @@ msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -4033,6 +4040,10 @@ logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); return; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return; + } // making the fake data newlen = 2 * auth_data_len + 1; @@ -8259,8 +8270,13 @@ msg = buffer_init(); if (msg == NULL) { + logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: invalid remote channel number (%d).", __FUNCTION__, c->remote_id); + return FALSE; + } buffer_put_int(msg, c->remote_id); buffer_put_string(msg, req, strlen(req)); @@ -8301,13 +8317,11 @@ // pty open msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL. (msg)", __FUNCTION__); return FALSE; } ttymsg = buffer_init(); if (ttymsg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL. (ttymsg)", __FUNCTION__); buffer_free(msg); return FALSE; @@ -8407,12 +8421,10 @@ c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } - // TODO: id check remote_id = get_uint32_MSBfirst(data); data += 4; @@ -8521,7 +8533,6 @@ c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: SSH2_MSG_DISCONNECT\x82𑗂\xE9 logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } @@ -8664,13 +8675,15 @@ pvar->session_nego_status); if (pvar->session_nego_status == 1) { - // find channel by shell id(2005.2.27 yutaka) c = ssh2_channel_lookup(pvar->shell_id); if (c == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } pvar->agentfwd_enable = TRUE; return send_pty_request(pvar, c); @@ -8677,13 +8690,15 @@ } else if (pvar->session_nego_status == 2) { pvar->session_nego_status = 3; - // find channel by shell id(2005.2.27 yutaka) c = ssh2_channel_lookup(pvar->shell_id); if (c == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } if (!send_channel_request_gen(pvar, c, "shell", want_reply, NULL, NULL)) { return FALSE;; @@ -8716,7 +8731,6 @@ c = ssh2_channel_lookup(channel_id); if (c == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, channel_id); return FALSE; } @@ -8765,7 +8779,6 @@ // pty open msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -8801,7 +8814,6 @@ // SSH2 server\x82\xC9channel close\x82\xF0\x93`\x82\xA6\x82\xE9 msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return; } @@ -9481,10 +9493,13 @@ c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } // string length str_len = get_uint32_MSBfirst(data); @@ -9502,7 +9517,6 @@ "len:%d local_maxpacket:%d", __FUNCTION__, str_len, c->local_maxpacket); } if (str_len > c->local_window) { - // TODO: logging // local window size\x82\xE6\x82\xE8\x91傫\x82ȃp\x83P\x83b\x83g\x82͎̂Ă\xE9 logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_window. " "len:%d local_window:%d", __FUNCTION__, str_len, c->local_window); @@ -9566,10 +9580,13 @@ c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } // data_type_code data_type = get_uint32_MSBfirst(data); @@ -9581,12 +9598,10 @@ // \x83o\x83b\x83t\x83@\x83T\x83C\x83Y\x82̃`\x83F\x83b\x83N if (strlen > c->local_maxpacket) { - // TODO: logging logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_maxpacket. " "len:%d local_maxpacket:%d", __FUNCTION__, strlen, c->local_maxpacket); } if (strlen > c->local_window) { - // TODO: logging // local window size\x82\xE6\x82\xE8\x91傫\x82ȃp\x83P\x83b\x83g\x82͎̂Ă\xE9 logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_window. " "len:%d local_window:%d", __FUNCTION__, strlen, c->local_window); @@ -9644,7 +9659,6 @@ c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } @@ -9762,8 +9776,7 @@ free(orig_str); - // X server(port 6000)\x82ڑ\xB1\x82\xB7\x82\xE9\x81B\x90ڑ\xB1\x82Ɏ\xB8\x94s\x82\xB7\x82\xE9\x82\xC6Tera Term\x8E\xA9\x90g\x82\xAA\x90ؒf\x82\xB3\x82\xEA\x82\xE9\x81B - // TODO: \x8F\xAB\x97\x88\x81A\x90ؒf\x82\xB3\x82\xEA\x82Ȃ\xA2\x82悤\x82ɂ\xB5\x82\xBD\x82\xA2\x81B(2005.7.3 yutaka) + // X server \x82ڑ\xB1\x82\xB7\x82\xE9\x81B FWD_X11_open(pvar, remote_id, NULL, 0, &chan_num); // channel\x82\xF0\x83A\x83\x8D\x83P\x81[\x83g\x82\xB5\x81A\x95K\x97v\x82ȏ\xEE\x95\xF1\x81iremote window size\x81j\x82\xF0\x82\xB1\x82\xB1\x82Ŏ\xE6\x82\xC1\x82Ă\xA8\x82\xAD\x81B @@ -9800,7 +9813,6 @@ else { msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return FALSE; } @@ -9850,7 +9862,6 @@ data += 4; c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } @@ -9910,10 +9921,13 @@ data += 4; c = ssh2_channel_lookup(id); if (c == NULL) { - // TODO: logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id); return FALSE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } request = buffer_get_string(&data, NULL); @@ -9956,7 +9970,6 @@ msg = buffer_init(); if (msg == NULL) { - // TODO: error check logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__); return FALSE; } @@ -10007,6 +10020,10 @@ logprintf(LOG_LEVEL_WARNING, "%s: channel not found. (%d)", __FUNCTION__, id); return TRUE; } + if (c->remote_id == SSH_CHANNEL_INVALID) { + logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__); + return FALSE; + } adjust = get_uint32_MSBfirst(data); data += 4; Modified: trunk/ttssh2/ttxssh/ttxssh.h =================================================================== --- trunk/ttssh2/ttxssh/ttxssh.h 2020-03-15 15:24:18 UTC (rev 8598) +++ trunk/ttssh2/ttxssh/ttxssh.h 2020-03-16 15:19:23 UTC (rev 8599) @@ -281,7 +281,6 @@ EVP_CIPHER_CTX *evpcip[MODE_MAX]; int userauth_success; int shell_id; - /*int remote_id;*/ int session_nego_status; /* unsigned int local_window;