From: Matt Johnston Date: Wed, 8 Jun 2022 21:26:20 +0800 Subject: Fix MAX_UNAUTH_CLIENTS regression Since re-exec change in 2022.82 Dropbear count treat authenticated sessions towards the unauthenticated session limit. This is fixed by passing the childpipe FD through to the re-execed process. --- runopts.h | 5 +++-- svr-main.c | 21 +++++++++++---------- svr-runopts.c | 15 ++++++++++++--- 3 files changed, 26 insertions(+), 15 deletions(-) --- a/runopts.h +++ b/runopts.h @@ -79,8 +79,9 @@ typedef struct svr_runopts { char *addresses[DROPBEAR_MAX_PORTS]; int inetdmode; - /* Hidden "-2" flag indicates it's re-executing itself */ - int reexec_child; + /* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself, + stores the childpipe preauth file descriptor. Set to -1 otherwise. */ + int reexec_childpipe; /* Flags indicating whether to use ipv4 and ipv6 */ /* not used yet --- a/svr-main.c +++ b/svr-main.c @@ -71,7 +71,7 @@ int main(int argc, char ** argv) #endif #if DROPBEAR_DO_REEXEC - if (svr_opts.reexec_child) { + if (svr_opts.reexec_childpipe >= 0) { #ifdef PR_SET_NAME /* Fix the "Name:" in /proc/pid/status, otherwise it's a FD number from fexecve. @@ -102,7 +102,7 @@ static void main_inetd() { seedrandom(); - if (!svr_opts.reexec_child) { + if (svr_opts.reexec_childpipe < 0) { /* In case our inetd was lax in logging source addresses */ get_socket_address(0, NULL, NULL, &host, &port, 0); dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port); @@ -115,10 +115,8 @@ static void main_inetd() { setsid(); } - /* Start service program - * -1 is a dummy childpipe, just something we can close() without - * mattering. */ - svr_session(0, -1); + /* -1 for childpipe in the inetd case is discarded */ + svr_session(0, svr_opts.reexec_childpipe); /* notreached */ } @@ -347,9 +345,10 @@ static void main_noinetd(int argc, char if (execfd >= 0) { #if DROPBEAR_DO_REEXEC - /* Add "-2" to the args and re-execute ourself. */ - char **new_argv = m_malloc(sizeof(char*) * (argc+3)); - int pos0 = 0, new_argc = argc+1; + /* Add "-2 childpipe[1]" to the args and re-execute ourself. */ + char **new_argv = m_malloc(sizeof(char*) * (argc+4)); + char buf[10]; + int pos0 = 0, new_argc = argc+2; /* We need to specially handle "dropbearmulti dropbear". */ if (multipath) { @@ -359,7 +358,9 @@ static void main_noinetd(int argc, char } memcpy(&new_argv[pos0], argv, sizeof(char*) * argc); - new_argv[new_argc-1] = "-2"; + new_argv[new_argc-2] = "-2"; + snprintf(buf, sizeof(buf), "%d", childpipe[1]); + new_argv[new_argc-1] = buf; new_argv[new_argc] = NULL; if ((dup2(childsock, STDIN_FILENO) < 0)) { --- a/svr-runopts.c +++ b/svr-runopts.c @@ -138,6 +138,7 @@ void svr_getopts(int argc, char ** argv) char* keepalive_arg = NULL; char* idle_timeout_arg = NULL; char* maxauthtries_arg = NULL; + char* reexec_fd_arg = NULL; char* keyfile = NULL; char c; #if DROPBEAR_PLUGIN @@ -175,6 +176,7 @@ void svr_getopts(int argc, char ** argv) svr_opts.pubkey_plugin_options = NULL; #endif svr_opts.pass_on_env = 0; + svr_opts.reexec_childpipe = -1; #ifndef DISABLE_ZLIB opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; @@ -250,12 +252,12 @@ void svr_getopts(int argc, char ** argv) #if DROPBEAR_DO_REEXEC && NON_INETD_MODE /* For internal use by re-exec */ case '2': - svr_opts.reexec_child = 1; + next = &reexec_fd_arg; break; #endif case 'p': - nextisport = 1; - break; + nextisport = 1; + break; case 'P': next = &svr_opts.pidfile; break; @@ -426,6 +428,13 @@ void svr_getopts(int argc, char ** argv) dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command); } + if (reexec_fd_arg) { + if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE + || svr_opts.reexec_childpipe < 0) { + dropbear_exit("Bad -2"); + } + } + #if INETD_MODE if (svr_opts.inetdmode && ( opts.usingsyslog == 0