From a21cdfac2fd89360b5c60152bda60b4150ad35fc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 28 Jan 2010 06:26:59 +1100 Subject: [PATCH] - djm@cvs.openbsd.org 2010/01/27 13:26:17 [mux.c] fix bug introduced in mux rewrite: In a mux master, when a socket to a mux slave closes before its server session (as may occur when the slave has been signalled), gracefully close the server session rather than deleting its channel immediately. A server may have more messages on that channel to send (e.g. an exit message) that will fatal() the client if they are sent to a channel that has been prematurely deleted. spotted by imorgan AT nas.nasa.gov --- ChangeLog | 12 ++++++++++++ mux.c | 10 ++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aac1b7193..05cbba64a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,18 @@ [mux.c] -Wuninitialized and remove a // comment; from portable (Id sync only) + - djm@cvs.openbsd.org 2010/01/27 13:26:17 + [mux.c] + fix bug introduced in mux rewrite: + + In a mux master, when a socket to a mux slave closes before its server + session (as may occur when the slave has been signalled), gracefully + close the server session rather than deleting its channel immediately. + A server may have more messages on that channel to send (e.g. an exit + message) that will fatal() the client if they are sent to a channel that + has been prematurely deleted. + + spotted by imorgan AT nas.nasa.gov 20100126 - (djm) OpenBSD CVS Sync diff --git a/mux.c b/mux.c index ef99b5737..64781d44c 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.11 2010/01/26 02:15:20 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.12 2010/01/27 13:26:17 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -210,7 +210,13 @@ mux_master_control_cleanup_cb(int cid, void *unused) __func__, c->self, c->remote_id); c->remote_id = -1; sc->ctl_chan = -1; - chan_mark_dead(sc); + if (sc->type != SSH_CHANNEL_OPEN) { + debug2("%s: channel %d: not open", __func__, sc->self); + chan_mark_dead(c); + } else { + chan_read_failed(sc); + chan_write_failed(sc); + } } channel_cancel_cleanup(c->self); }