1 /* $NetBSD: nchan.c,v 1.16 2024/09/24 21:32:18 christos Exp $ */ 2 /* $OpenBSD: nchan.c,v 1.76 2024/07/25 22:40:08 djm Exp $ */ 3 4 /* 5 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 __RCSID("$NetBSD: nchan.c,v 1.16 2024/09/24 21:32:18 christos Exp $"); 30 #include <sys/types.h> 31 #include <sys/socket.h> 32 #include <sys/queue.h> 33 34 #include <errno.h> 35 #include <string.h> 36 #include <stdarg.h> 37 38 #include "ssh2.h" 39 #include "sshbuf.h" 40 #include "ssherr.h" 41 #include "packet.h" 42 #include "channels.h" 43 #include "compat.h" 44 #include "log.h" 45 46 /* 47 * SSH Protocol 1.5 aka New Channel Protocol 48 * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored. 49 * Written by Markus Friedl in October 1999 50 * 51 * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the 52 * tear down of channels: 53 * 54 * 1.3: strict request-ack-protocol: 55 * CLOSE -> 56 * <- CLOSE_CONFIRM 57 * 58 * 1.5: uses variations of: 59 * IEOF -> 60 * <- OCLOSE 61 * <- IEOF 62 * OCLOSE -> 63 * i.e. both sides have to close the channel 64 * 65 * 2.0: the EOF messages are optional 66 * 67 * See the debugging output from 'ssh -v' and 'sshd -d' of 68 * ssh-1.2.27 as an example. 69 * 70 */ 71 72 /* functions manipulating channel states */ 73 /* 74 * EVENTS update channel input/output states execute ACTIONS 75 */ 76 /* 77 * ACTIONS: should never update the channel states 78 */ 79 static void chan_send_eof2(struct ssh *, Channel *); 80 static void chan_send_eow2(struct ssh *, Channel *); 81 82 /* helper */ 83 static void chan_shutdown_write(struct ssh *, Channel *); 84 static void chan_shutdown_read(struct ssh *, Channel *); 85 static void chan_shutdown_extended_read(struct ssh *, Channel *); 86 87 static const char * const ostates[] = { 88 "open", "drain", "wait_ieof", "closed", 89 }; 90 static const char * const istates[] = { 91 "open", "drain", "wait_oclose", "closed", 92 }; 93 94 static void 95 chan_set_istate(Channel *c, u_int next) 96 { 97 if (c->istate > CHAN_INPUT_CLOSED || next > CHAN_INPUT_CLOSED) 98 fatal("chan_set_istate: bad state %d -> %d", c->istate, next); 99 debug2("channel %d: input %s -> %s", c->self, istates[c->istate], 100 istates[next]); 101 c->istate = next; 102 } 103 104 static void 105 chan_set_ostate(Channel *c, u_int next) 106 { 107 if (c->ostate > CHAN_OUTPUT_CLOSED || next > CHAN_OUTPUT_CLOSED) 108 fatal("chan_set_ostate: bad state %d -> %d", c->ostate, next); 109 debug2("channel %d: output %s -> %s", c->self, ostates[c->ostate], 110 ostates[next]); 111 c->ostate = next; 112 } 113 114 void 115 chan_read_failed(struct ssh *ssh, Channel *c) 116 { 117 debug2("channel %d: read failed", c->self); 118 switch (c->istate) { 119 case CHAN_INPUT_OPEN: 120 chan_shutdown_read(ssh, c); 121 chan_set_istate(c, CHAN_INPUT_WAIT_DRAIN); 122 break; 123 default: 124 error("channel %d: chan_read_failed for istate %d", 125 c->self, c->istate); 126 break; 127 } 128 } 129 130 void 131 chan_ibuf_empty(struct ssh *ssh, Channel *c) 132 { 133 debug2("channel %d: ibuf empty", c->self); 134 if (sshbuf_len(c->input)) { 135 error("channel %d: chan_ibuf_empty for non empty buffer", 136 c->self); 137 return; 138 } 139 switch (c->istate) { 140 case CHAN_INPUT_WAIT_DRAIN: 141 if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_LOCAL))) 142 chan_send_eof2(ssh, c); 143 chan_set_istate(c, CHAN_INPUT_CLOSED); 144 break; 145 default: 146 error("channel %d: chan_ibuf_empty for istate %d", 147 c->self, c->istate); 148 break; 149 } 150 } 151 152 void 153 chan_obuf_empty(struct ssh *ssh, Channel *c) 154 { 155 debug2("channel %d: obuf empty", c->self); 156 if (sshbuf_len(c->output)) { 157 error("channel %d: chan_obuf_empty for non empty buffer", 158 c->self); 159 return; 160 } 161 switch (c->ostate) { 162 case CHAN_OUTPUT_WAIT_DRAIN: 163 chan_shutdown_write(ssh, c); 164 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 165 break; 166 default: 167 error("channel %d: internal error: obuf_empty for ostate %d", 168 c->self, c->ostate); 169 break; 170 } 171 } 172 173 void 174 chan_rcvd_eow(struct ssh *ssh, Channel *c) 175 { 176 debug2("channel %d: rcvd eow", c->self); 177 switch (c->istate) { 178 case CHAN_INPUT_OPEN: 179 chan_shutdown_read(ssh, c); 180 chan_set_istate(c, CHAN_INPUT_CLOSED); 181 break; 182 } 183 } 184 185 static void 186 chan_send_eof2(struct ssh *ssh, Channel *c) 187 { 188 int r; 189 190 debug2("channel %d: send eof", c->self); 191 switch (c->istate) { 192 case CHAN_INPUT_WAIT_DRAIN: 193 if (!c->have_remote_id) 194 fatal_f("channel %d: no remote_id", c->self); 195 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EOF)) != 0 || 196 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 197 (r = sshpkt_send(ssh)) != 0) 198 fatal_fr(r, "send CHANNEL_EOF"); 199 c->flags |= CHAN_EOF_SENT; 200 break; 201 default: 202 error("channel %d: cannot send eof for istate %d", 203 c->self, c->istate); 204 break; 205 } 206 } 207 208 static void 209 chan_send_close2(struct ssh *ssh, Channel *c) 210 { 211 int r; 212 213 debug2("channel %d: send_close2", c->self); 214 if (c->ostate != CHAN_OUTPUT_CLOSED || 215 c->istate != CHAN_INPUT_CLOSED) { 216 error("channel %d: cannot send close for istate/ostate %d/%d", 217 c->self, c->istate, c->ostate); 218 } else if (c->flags & CHAN_CLOSE_SENT) { 219 error("channel %d: already sent close", c->self); 220 } else { 221 if (!c->have_remote_id) 222 fatal_f("channel %d: no remote_id", c->self); 223 debug2("channel %d: send close for remote id %u", c->self, 224 c->remote_id); 225 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_CLOSE)) != 0 || 226 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 227 (r = sshpkt_send(ssh)) != 0) 228 fatal_fr(r, "send CHANNEL_EOF"); 229 c->flags |= CHAN_CLOSE_SENT; 230 } 231 } 232 233 static void 234 chan_send_eow2(struct ssh *ssh, Channel *c) 235 { 236 int r; 237 238 debug2("channel %d: send eow", c->self); 239 if (c->ostate == CHAN_OUTPUT_CLOSED) { 240 error("channel %d: must not sent eow on closed output", 241 c->self); 242 return; 243 } 244 if (!(ssh->compat & SSH_NEW_OPENSSH)) 245 return; 246 if (!c->have_remote_id) 247 fatal_f("channel %d: no remote_id", c->self); 248 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 || 249 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 250 (r = sshpkt_put_cstring(ssh, "eow@openssh.com")) != 0 || 251 (r = sshpkt_put_u8(ssh, 0)) != 0 || 252 (r = sshpkt_send(ssh)) != 0) 253 fatal_fr(r, "send CHANNEL_EOF"); 254 } 255 256 /* shared */ 257 258 void 259 chan_rcvd_ieof(struct ssh *ssh, Channel *c) 260 { 261 debug2("channel %d: rcvd eof", c->self); 262 c->flags |= CHAN_EOF_RCVD; 263 if (c->ostate == CHAN_OUTPUT_OPEN) 264 chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN); 265 if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN && 266 sshbuf_len(c->output) == 0 && 267 !CHANNEL_EFD_OUTPUT_ACTIVE(c)) 268 chan_obuf_empty(ssh, c); 269 } 270 271 void 272 chan_rcvd_oclose(struct ssh *ssh, Channel *c) 273 { 274 debug2("channel %d: rcvd close", c->self); 275 if (!(c->flags & CHAN_LOCAL)) { 276 if (c->flags & CHAN_CLOSE_RCVD) 277 error("channel %d: protocol error: close rcvd twice", 278 c->self); 279 c->flags |= CHAN_CLOSE_RCVD; 280 } 281 if (c->type == SSH_CHANNEL_LARVAL) { 282 /* tear down larval channels immediately */ 283 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 284 chan_set_istate(c, CHAN_INPUT_CLOSED); 285 return; 286 } 287 switch (c->ostate) { 288 case CHAN_OUTPUT_OPEN: 289 /* 290 * wait until a data from the channel is consumed if a CLOSE 291 * is received 292 */ 293 chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN); 294 break; 295 } 296 switch (c->istate) { 297 case CHAN_INPUT_OPEN: 298 chan_shutdown_read(ssh, c); 299 chan_shutdown_extended_read(ssh, c); 300 chan_set_istate(c, CHAN_INPUT_CLOSED); 301 break; 302 case CHAN_INPUT_WAIT_DRAIN: 303 if (!(c->flags & CHAN_LOCAL)) 304 chan_send_eof2(ssh, c); 305 chan_shutdown_extended_read(ssh, c); 306 chan_set_istate(c, CHAN_INPUT_CLOSED); 307 break; 308 } 309 } 310 311 void 312 chan_write_failed(struct ssh *ssh, Channel *c) 313 { 314 debug2("channel %d: write failed", c->self); 315 switch (c->ostate) { 316 case CHAN_OUTPUT_OPEN: 317 case CHAN_OUTPUT_WAIT_DRAIN: 318 chan_shutdown_write(ssh, c); 319 if (strcmp(c->ctype, "session") == 0) 320 chan_send_eow2(ssh, c); 321 chan_set_ostate(c, CHAN_OUTPUT_CLOSED); 322 break; 323 default: 324 error("channel %d: chan_write_failed for ostate %d", 325 c->self, c->ostate); 326 break; 327 } 328 } 329 330 void 331 chan_mark_dead(struct ssh *ssh, Channel *c) 332 { 333 c->type = SSH_CHANNEL_ZOMBIE; 334 } 335 336 int 337 chan_is_dead(struct ssh *ssh, Channel *c, int do_send) 338 { 339 if (c->type == SSH_CHANNEL_ZOMBIE) { 340 debug2("channel %d: zombie", c->self); 341 return 1; 342 } 343 if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED) 344 return 0; 345 if ((ssh->compat & SSH_BUG_EXTEOF) && 346 c->extended_usage == CHAN_EXTENDED_WRITE && 347 c->efd != -1 && 348 sshbuf_len(c->extended) > 0) { 349 debug2("channel %d: active efd: %d len %zu", 350 c->self, c->efd, sshbuf_len(c->extended)); 351 return 0; 352 } 353 if (c->flags & CHAN_LOCAL) { 354 debug2("channel %d: is dead (local)", c->self); 355 return 1; 356 } 357 if (!(c->flags & CHAN_CLOSE_SENT)) { 358 if (do_send) { 359 chan_send_close2(ssh, c); 360 } else { 361 /* channel would be dead if we sent a close */ 362 if (c->flags & CHAN_CLOSE_RCVD) { 363 debug2("channel %d: almost dead", 364 c->self); 365 return 1; 366 } 367 } 368 } 369 if ((c->flags & CHAN_CLOSE_SENT) && 370 (c->flags & CHAN_CLOSE_RCVD)) { 371 debug2("channel %d: is dead", c->self); 372 return 1; 373 } 374 return 0; 375 } 376 377 /* helper */ 378 static void 379 chan_shutdown_write(struct ssh *ssh, Channel *c) 380 { 381 sshbuf_reset(c->output); 382 if (c->type == SSH_CHANNEL_LARVAL) 383 return; 384 /* shutdown failure is allowed if write failed already */ 385 debug2_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 386 c->self, c->istate, c->ostate, c->sock, c->wfd, c->efd, 387 channel_format_extended_usage(c)); 388 if (c->sock != -1) { 389 if (shutdown(c->sock, SHUT_WR) == -1) { 390 debug2_f("channel %d: shutdown() failed for " 391 "fd %d [i%d o%d]: %.100s", c->self, c->sock, 392 c->istate, c->ostate, strerror(errno)); 393 } 394 } else { 395 if (channel_close_fd(ssh, c, &c->wfd) < 0) { 396 logit_f("channel %d: close() failed for " 397 "fd %d [i%d o%d]: %.100s", c->self, c->wfd, 398 c->istate, c->ostate, strerror(errno)); 399 } 400 } 401 } 402 403 static void 404 chan_shutdown_read(struct ssh *ssh, Channel *c) 405 { 406 if (c->type == SSH_CHANNEL_LARVAL) 407 return; 408 debug2_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 409 c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, 410 channel_format_extended_usage(c)); 411 if (c->sock != -1) { 412 if (shutdown(c->sock, SHUT_RD) == -1) { 413 error_f("channel %d: shutdown() failed for " 414 "fd %d [i%d o%d]: %.100s", c->self, c->sock, 415 c->istate, c->ostate, strerror(errno)); 416 } 417 } else { 418 if (channel_close_fd(ssh, c, &c->rfd) < 0) { 419 logit_f("channel %d: close() failed for " 420 "fd %d [i%d o%d]: %.100s", c->self, c->rfd, 421 c->istate, c->ostate, strerror(errno)); 422 } 423 } 424 } 425 426 static void 427 chan_shutdown_extended_read(struct ssh *ssh, Channel *c) 428 { 429 if (c->type == SSH_CHANNEL_LARVAL || c->efd == -1) 430 return; 431 if (c->extended_usage != CHAN_EXTENDED_READ && 432 c->extended_usage != CHAN_EXTENDED_IGNORE) 433 return; 434 debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", 435 c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, 436 channel_format_extended_usage(c)); 437 if (channel_close_fd(ssh, c, &c->efd) < 0) { 438 logit_f("channel %d: close() failed for " 439 "extended fd %d [i%d o%d]: %.100s", c->self, c->efd, 440 c->istate, c->ostate, strerror(errno)); 441 } 442 } 443