upstream: the messaging layer between sshd-session and sshd-auth had a

maximum message size of 256KB. Some people apparently have configurations
larger than this and would hit this limit.

Worse, there was no good logging that could help diagnose what was
going wrong.

So this bumps the maximum message size to 4MB and implements an early
check (usable via the sshd -t test mode) that will report it to the
user where it is hopefully more visible.

bz3808, reported by Dmitry Belyavskiy, ok dtucker@

OpenBSD-Commit-ID: 69c303fb68cbd1a4735936835d67a71e7b57f63b

diff --git a/monitor_wrap.c b/monitor_wrap.c
index c30a7902d3863a688dfcd73aa1aeff65b7b09295..fea5762139933ac8ad69d8976813f7540f13c128 100644 (file)
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.139 2025/05/05 02:40:30 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.140 2025/07/04 07:47:35 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -150,7 +150,7 @@ mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
 
        debug3_f("entering, type %d", type);
 
-       if (mlen >= 0xffffffff)
+       if (mlen >= MONITOR_MAX_MSGLEN)
                fatal_f("bad length %zu", mlen);
        POKE_U32(buf, mlen + 1);
        buf[4] = (u_char) type;         /* 1st byte of payload is mesg-type */
@@ -183,7 +183,7 @@ mm_request_receive(int sock, struct sshbuf *m)
                fatal_f("read: %s", strerror(errno));
        }
        msg_len = PEEK_U32(buf);
-       if (msg_len > 256 * 1024)
+       if (msg_len > MONITOR_MAX_MSGLEN)
                fatal_f("read: bad msg_len %d", msg_len);
        sshbuf_reset(m);
        if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)

diff --git a/monitor_wrap.h b/monitor_wrap.h
index 7134afeecf4e3a6b7d83c46ca72ed030a11de827..c87295388fd0e2ff71323e7f4ac10a61069b923c 100644 (file)
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.51 2024/05/17 06:42:04 jsg Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.53 2025/07/04 07:47:35 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -28,6 +28,10 @@
 #ifndef _MM_WRAP_H_
 #define _MM_WRAP_H_
 
+#define MONITOR_MAX_MSGLEN             (4 * 1024 * 1024)
+/* The configuration has to fit in a monitor message along with other state */
+#define MONITOR_MAX_CFGLEN             (MONITOR_MAX_MSGLEN - (64 * 1024))
+
 enum mm_keytype { MM_NOKEY, MM_HOSTKEY, MM_USERKEY };
 
 struct ssh;

diff --git a/sshd.c b/sshd.c
index 91608eff760c9441d12bb42f2e3311bf6f4e8fcf..5a4db309d23b266a68a002532af8f07a1bda7989 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.619 2025/05/24 06:43:37 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.620 2025/07/04 07:47:35 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  * Copyright (c) 2002 Niels Provos.  All rights reserved.
@@ -94,6 +94,7 @@
 #include "addr.h"
 #include "srclimit.h"
 #include "atomicio.h"
+#include "monitor_wrap.h"
 
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
@@ -1753,6 +1754,12 @@ main(int ac, char **av)
        if (test_flag > 1)
                print_config(&connection_info);
 
+       config = pack_config(cfg);
+       if (sshbuf_len(config) > MONITOR_MAX_CFGLEN) {
+               fatal("Configuration file is too large (have %zu, max %d)",
+                   sshbuf_len(config), MONITOR_MAX_CFGLEN);
+       }
+
        /* Configuration looks good, so exit if in test mode. */
        if (test_flag)
                exit(0);
@@ -1830,8 +1837,6 @@ main(int ac, char **av)
        /* ignore SIGPIPE */
        ssh_signal(SIGPIPE, SIG_IGN);
 
-       config = pack_config(cfg);
-
        /* Get a connection, either from inetd or a listening TCP socket */
        if (inetd_flag) {
                /* Send configuration to ancestor sshd-session process */