1 /* $OpenBSD: nchan.c,v 1.71 2020/10/18 11:32:01 djm Exp $ */ 2 /* 3 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/socket.h> 28 #include <sys/queue.h> 29 30 #include <errno.h> 31 #include <string.h> 32 #include <stdarg.h> 33 34 #include "ssh2.h" 35 #include "sshbuf.h" 36 #include "ssherr.h" 37 #include "packet.h" 38 #include "channels.h" 39 #include "compat.h" 40 #include "log.h" 41 42 /* 43 * SSH Protocol 1.5 aka New Channel Protocol 44 * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored. 45 * Written by Markus Friedl in October 1999 46 * 47 * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the 48 * tear down of channels: 49 * 50 * 1.3: strict request-ack-protocol: 51 * CLOSE -> 52 * <- CLOSE_CONFIRM 53 * 54 * 1.5: uses variations of: 55 * IEOF -> 56 * <- OCLOSE 57 * <- IEOF 58 * OCLOSE -> 59 * i.e. both sides have to close the channel 60 * 61 * 2.0: the EOF messages are optional 62 * 63 * See the debugging output from 'ssh -v' and 'sshd -d' of 64 * ssh-1.2.27 as an example. 65 * 66 */ 67 68 /* functions manipulating channel states */ 69 /* 70 * EVENTS update channel input/output states execute ACTIONS 71 */ 72 /* 73 * ACTIONS: should never update the channel states 74 */ 75 static void chan_send_eof2(struct ssh *, Channel *); 76 static void chan_send_eow2(struct ssh *, Channel *); 77 78 /* helper */ 79 static void chan_shutdown_write(struct ssh *, Channel *); 80 static void chan_shutdown_read(struct ssh *, Channel *); 81 static void chan_shutdown_extended_read(struct ssh *, Channel *); 82 83 static const char *ostates[] = { "open", "drain", "wait_ieof", "closed" }; 84 static const char *istates[] = { "open", "drain", "wait_oclose", "closed" }; 85 86 static void 87 chan_set_istate(Channel *c, u_int next) 88 { 89 if (c->istate > CHAN_INPUT_CLOSED || next > CHAN_INPUT_CLOSED) 90 fatal("chan_set_istate: bad state %d -> %d", c->istate, next); 91 debug2("channel %d: input %s -> %s", c->self, istates[c->istate], 92 istates[next]); 93 c->istate = next; 94 } 95 96 static void 97 chan_set_ostate(Channel *c, u_int next) 98 { 99 if (c->ostate > CHAN_OUTPUT_CLOSED || next > CHAN_OUTPUT_CLOSED) 100 fatal("chan_set_ostate: bad state %d -> %d", c->ostate, next); 101 debug2("channel %d: output %s -> %s", c->self, ostates[c->ostate], 102 ostates[next]); 103 c->ostate = next; 104 } 105 106 void 107 chan_read_failed(struct ssh *ssh, Channel *c) 108 { 109 debug2("channel %d: read failed", c->self); 110 switch (c->istate) { 111 case CHAN_INPUT_OPEN: 112 chan_shutdown_read(ssh, c); 113 chan_set_istate(c, CHAN_INPUT_WAIT_DRAIN); 114 break; 115 default: 116 error("channel %d: chan_read_failed for istate %d", 117 c->self, c->istate); 118 break; 119 } 120 } 121 122 void 123 chan_ibuf_empty(struct ssh *ssh, Channel *c) 124 { 125 debug2("channel %d: ibuf empty", c->self); 126 if (sshbuf_len(c->input)) { 127 error("channel %d: chan_ibuf_empty for non empty buffer", 128 c->self); 129 return; 130 } 131 switch (c->istate) { 132 case CHAN_INPUT_WAIT_DRAIN: 133 if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_LOCAL))) 134 chan_send_eof2(ssh, c); 135 chan_set_istate(c, CHAN_INPUT_CLOSED); 136 break; 137 default: 138 error("channel %d: chan_ibuf_empty for istate %d", 139 c->self, c->istate); 140 break; 141 } 142 } 143 144 void 145 chan_obuf_empty(struct ssh *ssh, Channel *c) 146 { 147 debug2("channel %d: obuf empty", c->self); 148 if (sshbuf_len(c->output)) { 149 error("channel %d: chan_obuf_empty for non empty buffer", 150 c->self); 151 return; 152 } 153 switch (c->ostate) { 154 case CHAN_OUTPUT_WAIT_DRAIN: 155 chan_shutdown_write(ssh, c); 156 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 157 break; 158 default: 159 error("channel %d: internal error: obuf_empty for ostate %d", 160 c->self, c->ostate); 161 break; 162 } 163 } 164 165 void 166 chan_rcvd_eow(struct ssh *ssh, Channel *c) 167 { 168 debug2("channel %d: rcvd eow", c->self); 169 switch (c->istate) { 170 case CHAN_INPUT_OPEN: 171 chan_shutdown_read(ssh, c); 172 chan_set_istate(c, CHAN_INPUT_CLOSED); 173 break; 174 } 175 } 176 177 static void 178 chan_send_eof2(struct ssh *ssh, Channel *c) 179 { 180 int r; 181 182 debug2("channel %d: send eof", c->self); 183 switch (c->istate) { 184 case CHAN_INPUT_WAIT_DRAIN: 185 if (!c->have_remote_id) 186 fatal_f("channel %d: no remote_id", c->self); 187 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EOF)) != 0 || 188 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 189 (r = sshpkt_send(ssh)) != 0) 190 fatal_fr(r, "send CHANNEL_EOF"); 191 c->flags |= CHAN_EOF_SENT; 192 break; 193 default: 194 error("channel %d: cannot send eof for istate %d", 195 c->self, c->istate); 196 break; 197 } 198 } 199 200 static void 201 chan_send_close2(struct ssh *ssh, Channel *c) 202 { 203 int r; 204 205 debug2("channel %d: send close", c->self); 206 if (c->ostate != CHAN_OUTPUT_CLOSED || 207 c->istate != CHAN_INPUT_CLOSED) { 208 error("channel %d: cannot send close for istate/ostate %d/%d", 209 c->self, c->istate, c->ostate); 210 } else if (c->flags & CHAN_CLOSE_SENT) { 211 error("channel %d: already sent close", c->self); 212 } else { 213 if (!c->have_remote_id) 214 fatal_f("channel %d: no remote_id", c->self); 215 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_CLOSE)) != 0 || 216 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 217 (r = sshpkt_send(ssh)) != 0) 218 fatal_fr(r, "send CHANNEL_EOF"); 219 c->flags |= CHAN_CLOSE_SENT; 220 } 221 } 222 223 static void 224 chan_send_eow2(struct ssh *ssh, Channel *c) 225 { 226 int r; 227 228 debug2("channel %d: send eow", c->self); 229 if (c->ostate == CHAN_OUTPUT_CLOSED) { 230 error("channel %d: must not sent eow on closed output", 231 c->self); 232 return; 233 } 234 if (!(datafellows & SSH_NEW_OPENSSH)) 235 return; 236 if (!c->have_remote_id) 237 fatal_f("channel %d: no remote_id", c->self); 238 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 || 239 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 240 (r = sshpkt_put_cstring(ssh, "eow@openssh.com")) != 0 || 241 (r = sshpkt_put_u8(ssh, 0)) != 0 || 242 (r = sshpkt_send(ssh)) != 0) 243 fatal_fr(r, "send CHANNEL_EOF"); 244 } 245 246 /* shared */ 247 248 void 249 chan_rcvd_ieof(struct ssh *ssh, Channel *c) 250 { 251 debug2("channel %d: rcvd eof", c->self); 252 c->flags |= CHAN_EOF_RCVD; 253 if (c->ostate == CHAN_OUTPUT_OPEN) 254 chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN); 255 if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN && 256 sshbuf_len(c->output) == 0 && 257 !CHANNEL_EFD_OUTPUT_ACTIVE(c)) 258 chan_obuf_empty(ssh, c); 259 } 260 261 void 262 chan_rcvd_oclose(struct ssh *ssh, Channel *c) 263 { 264 debug2("channel %d: rcvd close", c->self); 265 if (!(c->flags & CHAN_LOCAL)) { 266 if (c->flags & CHAN_CLOSE_RCVD) 267 error("channel %d: protocol error: close rcvd twice", 268 c->self); 269 c->flags |= CHAN_CLOSE_RCVD; 270 } 271 if (c->type == SSH_CHANNEL_LARVAL) { 272 /* tear down larval channels immediately */ 273 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 274 chan_set_istate(c, CHAN_INPUT_CLOSED); 275 return; 276 } 277 switch (c->ostate) { 278 case CHAN_OUTPUT_OPEN: 279 /* 280 * wait until a data from the channel is consumed if a CLOSE 281 * is received 282 */ 283 chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN); 284 break; 285 } 286 switch (c->istate) { 287 case CHAN_INPUT_OPEN: 288 chan_shutdown_read(ssh, c); 289 chan_shutdown_extended_read(ssh, c); 290 chan_set_istate(c, CHAN_INPUT_CLOSED); 291 break; 292 case CHAN_INPUT_WAIT_DRAIN: 293 if (!(c->flags & CHAN_LOCAL)) 294 chan_send_eof2(ssh, c); 295 chan_shutdown_extended_read(ssh, c); 296 chan_set_istate(c, CHAN_INPUT_CLOSED); 297 break; 298 } 299 } 300 301 void 302 chan_write_failed(struct ssh *ssh, Channel *c) 303 { 304 debug2("channel %d: write failed", c->self); 305 switch (c->ostate) { 306 case CHAN_OUTPUT_OPEN: 307 case CHAN_OUTPUT_WAIT_DRAIN: 308 chan_shutdown_write(ssh, c); 309 if (strcmp(c->ctype, "session") == 0) 310 chan_send_eow2(ssh, c); 311 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 312 break; 313 default: 314 error("channel %d: chan_write_failed for ostate %d", 315 c->self, c->ostate); 316 break; 317 } 318 } 319 320 void 321 chan_mark_dead(struct ssh *ssh, Channel *c) 322 { 323 c->type = SSH_CHANNEL_ZOMBIE; 324 } 325 326 int 327 chan_is_dead(struct ssh *ssh, Channel *c, int do_send) 328 { 329 if (c->type == SSH_CHANNEL_ZOMBIE) { 330 debug2("channel %d: zombie", c->self); 331 return 1; 332 } 333 if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED) 334 return 0; 335 if ((datafellows & SSH_BUG_EXTEOF) && 336 c->extended_usage == CHAN_EXTENDED_WRITE && 337 c->efd != -1 && 338 sshbuf_len(c->extended) > 0) { 339 debug2("channel %d: active efd: %d len %zu", 340 c->self, c->efd, sshbuf_len(c->extended)); 341 return 0; 342 } 343 if (c->flags & CHAN_LOCAL) { 344 debug2("channel %d: is dead (local)", c->self); 345 return 1; 346 } 347 if (!(c->flags & CHAN_CLOSE_SENT)) { 348 if (do_send) { 349 chan_send_close2(ssh, c); 350 } else { 351 /* channel would be dead if we sent a close */ 352 if (c->flags & CHAN_CLOSE_RCVD) { 353 debug2("channel %d: almost dead", 354 c->self); 355 return 1; 356 } 357 } 358 } 359 if ((c->flags & CHAN_CLOSE_SENT) && 360 (c->flags & CHAN_CLOSE_RCVD)) { 361 debug2("channel %d: is dead", c->self); 362 return 1; 363 } 364 return 0; 365 } 366 367 /* helper */ 368 static void 369 chan_shutdown_write(struct ssh *ssh, Channel *c) 370 { 371 sshbuf_reset(c->output); 372 if (c->type == SSH_CHANNEL_LARVAL) 373 return; 374 /* shutdown failure is allowed if write failed already */ 375 debug2_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 376 c->self, c->istate, c->ostate, c->sock, c->wfd, c->efd, 377 channel_format_extended_usage(c)); 378 if (c->sock != -1) { 379 if (shutdown(c->sock, SHUT_WR) == -1) { 380 debug2_f("channel %d: shutdown() failed for " 381 "fd %d [i%d o%d]: %.100s", c->self, c->sock, 382 c->istate, c->ostate, strerror(errno)); 383 } 384 } else { 385 if (channel_close_fd(ssh, &c->wfd) < 0) { 386 logit_f("channel %d: close() failed for " 387 "fd %d [i%d o%d]: %.100s", c->self, c->wfd, 388 c->istate, c->ostate, strerror(errno)); 389 } 390 } 391 } 392 393 static void 394 chan_shutdown_read(struct ssh *ssh, Channel *c) 395 { 396 if (c->type == SSH_CHANNEL_LARVAL) 397 return; 398 debug2_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 399 c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, 400 channel_format_extended_usage(c)); 401 if (c->sock != -1) { 402 if (shutdown(c->sock, SHUT_RD) == -1) { 403 error_f("channel %d: shutdown() failed for " 404 "fd %d [i%d o%d]: %.100s", c->self, c->sock, 405 c->istate, c->ostate, strerror(errno)); 406 } 407 } else { 408 if (channel_close_fd(ssh, &c->rfd) < 0) { 409 logit_f("channel %d: close() failed for " 410 "fd %d [i%d o%d]: %.100s", c->self, c->rfd, 411 c->istate, c->ostate, strerror(errno)); 412 } 413 } 414 } 415 416 static void 417 chan_shutdown_extended_read(struct ssh *ssh, Channel *c) 418 { 419 if (c->type == SSH_CHANNEL_LARVAL || c->efd == -1) 420 return; 421 if (c->extended_usage != CHAN_EXTENDED_READ && 422 c->extended_usage != CHAN_EXTENDED_IGNORE) 423 return; 424 debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 425 c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, 426 channel_format_extended_usage(c)); 427 if (channel_close_fd(ssh, &c->efd) < 0) { 428 logit_f("channel %d: close() failed for " 429 "extended fd %d [i%d o%d]: %.100s", c->self, c->efd, 430 c->istate, c->ostate, strerror(errno)); 431 } 432 } 433