[8599] チャネル関連のメッセージ送信前にリモートのチャネル番号のチェックを追加した。 (Ttssh2-commit) - Tera Term

Revision: 8599
          https://osdn.net/projects/ttssh2/scm/svn/commits/8599
Author:   doda
Date:     2020-03-17 00:19:23 +0900 (Tue, 17 Mar 2020)
Log Message:
-----------
チャネル関連のメッセージ送信前にリモートのチャネル番号のチェックを追加した。

Ticket: #40225, #40226

問題:
  SSH接続で認証直後にウィンドウサイズを変更、またはSend Breakを実行すると
  切断される。

原因:
  SSH_MSG_CHANNEL_REQUEST で remote id に不正な値をセットして送っていた。

対処:
  チャネル関連のメッセージを送信する時に remote id の値をチェックする
  ようにした。

Ticket Links:
------------
    https://osdn.net/projects/ttssh2/tracker/detail/40225
    https://osdn.net/projects/ttssh2/tracker/detail/40226

Modified Paths:
--------------
    trunk/ttssh2/ttxssh/ssh.c
    trunk/ttssh2/ttxssh/ttxssh.h

-------------- next part --------------
Modified: trunk/ttssh2/ttxssh/ssh.c
===================================================================

--- trunk/ttssh2/ttxssh/ssh.c	2020-03-15 15:24:18 UTC (rev 8598)
+++ trunk/ttssh2/ttxssh/ssh.c	2020-03-16 15:19:23 UTC (rev 8599)
@@ -314,7 +314,7 @@
 	memset(c, 0, sizeof(Channel_t));
 	c->used = 1;
 	c->self_id = i;
-	c->remote_id = -1;
+	c->remote_id = SSH_CHANNEL_INVALID;
 	c->local_window = window;
 	c->local_window_max = window;
 	c->local_consumed = 0;
@@ -3155,11 +3155,16 @@
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 			return;
 		}
+		if (c->remote_id == SSH_CHANNEL_INVALID) {
+			// \x82\xB1\x82̏󋵂͔F\x8F؊\xAE\x97\xB9\x92\xBC\x8C\xE3\x82ɃE\x83B\x83\x93\x83h\x83E\x83T\x83C\x83Y\x82\xF0\x95ύX\x82\xB7\x82\xE9\x82Ɣ\xAD\x90\xB6\x82\xB7\x82\xE9\x81B
+			// \x82܂\xBE\x83V\x83F\x83\x8B\x82̃`\x83\x83\x83l\x83\x8B\x82ɑ΂\xB7\x82\xE9 SSH_MSG_OPEN_CONFIRMATION \x82\xF0\x8E󂯂Ă\xA2\x82Ȃ\xA2\x82̂ŁA
+			// \x91\x8A\x8E葤\x82̃`\x83\x83\x83l\x83\x8B\x94ԍ\x86\x82\xAA\x94\xBB\x82\xE7\x82Ȃ\xA2\x82̂\xC5 window-change \x83\x81\x83b\x83Z\x81[\x83W\x82͑\x97\x82\xE7\x82Ȃ\xA2\x81B
+			logprintf(LOG_LEVEL_WARNING, "%s: remote shell channel number is unknown.", __FUNCTION__);
+			return;
+		}
 
-
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return;
 		}
@@ -3204,6 +3209,13 @@
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 			goto error;
 		}
+		if (c->remote_id == SSH_CHANNEL_INVALID) {
+			// \x94F\x8Fؒ\xBC\x8C\xE3\x82\xC9 send break \x82\xF0\x8Ds\x82\xA4\x82Ɣ\xAD\x90\xB6\x82\xB7\x82\xE9
+			// \x82܂\xBE\x83V\x83F\x83\x8B\x82̃`\x83\x83\x83l\x83\x8B\x82ɑ΂\xB7\x82\xE9 SSH_MSG_OPEN_CONFIRMATION \x82\xF0\x8E󂯂Ă\xA2\x82Ȃ\xA2\x82̂ŁA
+			// \x91\x8A\x8E葤\x82̃`\x83\x83\x83l\x83\x8B\x94ԍ\x86\x82\xAA\x94\xBB\x82\xE7\x82Ȃ\xA2\x82̂\xC5 break \x83\x81\x83b\x83Z\x81[\x83W\x82͑\x97\x82\xE7\x82Ȃ\xA2\x81B
+			logprintf(LOG_LEVEL_WARNING, "%s: remote shell channel number is unknown.", __FUNCTION__);
+			goto error;
+		}
 
 		msg = buffer_init();
 		if (msg == NULL) {
@@ -3353,7 +3365,7 @@
 
 	} else { // for SSH2(yutaka)
 		Channel_t *c = ssh2_channel_lookup(pvar->shell_id);
-		if (c == NULL) {
+		if (c == NULL || c->remote_id == SSH_CHANNEL_INVALID) {
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 		}
 		else {
@@ -3566,7 +3578,6 @@
 		pvar->session_id_len = 0;
 
 		pvar->userauth_success = 0;
-		//pvar->remote_id = 0;
 		pvar->shell_id = SSH_CHANNEL_INVALID;
 		pvar->session_nego_status = 0;
 
@@ -3646,7 +3657,6 @@
 	if (buflen > 0) {
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return;
 		}
@@ -3775,7 +3785,6 @@
 
 	msg = buffer_init();
 	if (msg == NULL) {
-		// TODO: error check
 		logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 		return;
 	}
@@ -3854,7 +3863,6 @@
 
 	msg = buffer_init();
 	if (msg == NULL) {
-		// TODO: error check
 		logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 		return;
 	}
@@ -4023,7 +4031,6 @@
 
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return;
 		}
@@ -4033,6 +4040,10 @@
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 			return;
 		}
+		if (c->remote_id == SSH_CHANNEL_INVALID) {
+			logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+			return;
+		}
 
 		// making the fake data	
 		newlen = 2 * auth_data_len + 1;
@@ -8259,8 +8270,13 @@
 
 	msg = buffer_init();
 	if (msg == NULL) {
+		logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 		return FALSE;
 	}
+	if (c->remote_id == SSH_CHANNEL_INVALID) {
+		logprintf(LOG_LEVEL_ERROR, "%s: invalid remote channel number (%d).", __FUNCTION__, c->remote_id);
+		return FALSE;
+	}
 
 	buffer_put_int(msg, c->remote_id);
 	buffer_put_string(msg, req, strlen(req));
@@ -8301,13 +8317,11 @@
 	// pty open
 	msg = buffer_init();
 	if (msg == NULL) {
-		// TODO: error check
 		logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL. (msg)", __FUNCTION__);
 		return FALSE;
 	}
 	ttymsg = buffer_init();
 	if (ttymsg == NULL) {
-		// TODO: error check
 		logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL. (ttymsg)", __FUNCTION__);
 		buffer_free(msg);
 		return FALSE;
@@ -8407,12 +8421,10 @@
 
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
 
-	// TODO: id check
 	remote_id = get_uint32_MSBfirst(data);
 	data += 4;
 
@@ -8521,7 +8533,6 @@
 
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO: SSH2_MSG_DISCONNECT\x82𑗂\xE9
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
@@ -8664,13 +8675,15 @@
 		pvar->session_nego_status);
 
 	if (pvar->session_nego_status == 1) {
-		// find channel by shell id(2005.2.27 yutaka)
 		c = ssh2_channel_lookup(pvar->shell_id);
 		if (c == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 			return FALSE;
 		}
+		if (c->remote_id == SSH_CHANNEL_INVALID) {
+			logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+			return FALSE;
+		}
 		pvar->agentfwd_enable = TRUE;
 		return send_pty_request(pvar, c);
 
@@ -8677,13 +8690,15 @@
 	} else if (pvar->session_nego_status == 2) {
 		pvar->session_nego_status = 3;
 
-		// find channel by shell id(2005.2.27 yutaka)
 		c = ssh2_channel_lookup(pvar->shell_id);
 		if (c == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: shell channel not found.", __FUNCTION__);
 			return FALSE;
 		}
+		if (c->remote_id == SSH_CHANNEL_INVALID) {
+			logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+			return FALSE;
+		}
 
 		if (!send_channel_request_gen(pvar, c, "shell", want_reply, NULL, NULL)) {
 			return FALSE;;
@@ -8716,7 +8731,6 @@
 
 	c = ssh2_channel_lookup(channel_id);
 	if (c == NULL) {
-		// TODO: error check
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, channel_id);
 		return FALSE;
 	}
@@ -8765,7 +8779,6 @@
 		// pty open
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return;
 		}
@@ -8801,7 +8814,6 @@
 		// SSH2 server\x82\xC9channel close\x82\xF0\x93`\x82\xA6\x82\xE9
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return;
 		}
@@ -9481,10 +9493,13 @@
 
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
+	if (c->remote_id == SSH_CHANNEL_INVALID) {
+		logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+		return FALSE;
+	}
 
 	// string length
 	str_len = get_uint32_MSBfirst(data);
@@ -9502,7 +9517,6 @@
 			"len:%d local_maxpacket:%d", __FUNCTION__, str_len, c->local_maxpacket);
 	}
 	if (str_len > c->local_window) {
-		// TODO: logging
 		// local window size\x82\xE6\x82\xE8\x91傫\x82ȃp\x83P\x83b\x83g\x82͎̂Ă\xE9
 		logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_window. "
 			"len:%d local_window:%d", __FUNCTION__, str_len, c->local_window);
@@ -9566,10 +9580,13 @@
 
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
+	if (c->remote_id == SSH_CHANNEL_INVALID) {
+		logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+		return FALSE;
+	}
 
 	// data_type_code
 	data_type = get_uint32_MSBfirst(data);
@@ -9581,12 +9598,10 @@
 
 	// \x83o\x83b\x83t\x83@\x83T\x83C\x83Y\x82̃`\x83F\x83b\x83N
 	if (strlen > c->local_maxpacket) {
-		// TODO: logging
 		logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_maxpacket. "
 			"len:%d local_maxpacket:%d", __FUNCTION__, strlen, c->local_maxpacket);
 	}
 	if (strlen > c->local_window) {
-		// TODO: logging
 		// local window size\x82\xE6\x82\xE8\x91傫\x82ȃp\x83P\x83b\x83g\x82͎̂Ă\xE9
 		logprintf(LOG_LEVEL_WARNING, "%s: Data length is larger than local_window. "
 			"len:%d local_window:%d", __FUNCTION__, strlen, c->local_window);
@@ -9644,7 +9659,6 @@
 
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
@@ -9762,8 +9776,7 @@
 
 		free(orig_str);
 
-		// X server(port 6000)\x82֐ڑ\xB1\x82\xB7\x82\xE9\x81B\x90ڑ\xB1\x82Ɏ\xB8\x94s\x82\xB7\x82\xE9\x82\xC6Tera Term\x8E\xA9\x90g\x82\xAA\x90ؒf\x82\xB3\x82\xEA\x82\xE9\x81B
-		// TODO: \x8F\xAB\x97\x88\x81A\x90ؒf\x82\xB3\x82\xEA\x82Ȃ\xA2\x82悤\x82ɂ\xB5\x82\xBD\x82\xA2\x81B(2005.7.3 yutaka)
+		// X server \x82֐ڑ\xB1\x82\xB7\x82\xE9\x81B
 		FWD_X11_open(pvar, remote_id, NULL, 0, &chan_num);
 
 		// channel\x82\xF0\x83A\x83\x8D\x83P\x81[\x83g\x82\xB5\x81A\x95K\x97v\x82ȏ\xEE\x95\xF1\x81iremote window size\x81j\x82\xF0\x82\xB1\x82\xB1\x82Ŏ\xE6\x82\xC1\x82Ă\xA8\x82\xAD\x81B
@@ -9800,7 +9813,6 @@
 		else {
 			msg = buffer_init();
 			if (msg == NULL) {
-				// TODO: error check
 				logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 				return FALSE;
 			}
@@ -9850,7 +9862,6 @@
 	data += 4;
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
@@ -9910,10 +9921,13 @@
 	data += 4;
 	c = ssh2_channel_lookup(id);
 	if (c == NULL) {
-		// TODO:
 		logprintf(LOG_LEVEL_ERROR, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return FALSE;
 	}
+	if (c->remote_id == SSH_CHANNEL_INVALID) {
+		logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+		return FALSE;
+	}
 
 	request = buffer_get_string(&data, NULL);
 
@@ -9956,7 +9970,6 @@
 
 		msg = buffer_init();
 		if (msg == NULL) {
-			// TODO: error check
 			logprintf(LOG_LEVEL_ERROR, "%s: buffer_init returns NULL.", __FUNCTION__);
 			return FALSE;
 		}
@@ -10007,6 +10020,10 @@
 		logprintf(LOG_LEVEL_WARNING, "%s: channel not found. (%d)", __FUNCTION__, id);
 		return TRUE;
 	}
+	if (c->remote_id == SSH_CHANNEL_INVALID) {
+		logprintf(LOG_LEVEL_ERROR, "%s: remote shell channel number is unknown.", __FUNCTION__);
+		return FALSE;
+	}
 
 	adjust = get_uint32_MSBfirst(data);
 	data += 4;

Modified: trunk/ttssh2/ttxssh/ttxssh.h
===================================================================
--- trunk/ttssh2/ttxssh/ttxssh.h	2020-03-15 15:24:18 UTC (rev 8598)
+++ trunk/ttssh2/ttxssh/ttxssh.h	2020-03-16 15:19:23 UTC (rev 8599)
@@ -281,7 +281,6 @@
 	EVP_CIPHER_CTX *evpcip[MODE_MAX];
 	int userauth_success;
 	int shell_id;
-	/*int remote_id;*/
 	int session_nego_status;
 	/*
 	unsigned int local_window;


Tera Term

[Ttssh2-commit] [8599] チャネル関連のメッセージ送信前にリモートのチャネル番号のチェックを追加した。