comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating

When using libssh2 to perform an SFTP file transfer from the "JSCAPE MFT Server" (http://www.jscape.com) the transfer failed. The default JSCAPE configuration is to enforce zlib compression on SSH2 sessions so the session was compressed. The relevant part of the debug trace contained: [libssh2] 1.052750 Transport: unhandled zlib error -5 [libssh2] 1.052750 Failure Event: -29 - decompression failure The trace comes from comp_method_zlib_decomp() in comp.c. The "unhandled zlib error -5" is the status returned from the zlib function inflate(). The -5 status corresponds to "Z_BUF_ERROR". The inflate() function takes a pointer to a z_stream structure and "inflates" (decompresses) as much as it can. The relevant fields of the z_stream structure are: next_in - pointer to the input buffer containing compressed data avail_in - the number of bytes available at next_in next_out - pointer to the output buffer to be filled with uncompressed data avail_out - how much space available at next_out To decompress data you set up a z_stream struct with the relevant fields filled in and pass it to inflate(). On return the fields will have been updated so next_in and avail_in show how much compressed data is yet to be processed and next_out and avail_out show how much space is left in the output buffer. If the supplied output buffer is too small then on return there will be compressed data yet to be processed (avail_in != 0) and inflate() will return Z_OK. In this case the output buffer must be grown, avail_out updated and inflate() called again. If the supplied output buffer was big enough then on return the compressed data will have been exhausted (avail_in == 0) and inflate() will return Z_OK, so the data has all been uncompressed. There is a corner case where inflate() makes no progress. That is, there may be unprocessed compressed data and space available in the output buffer and yet the function does nothing. In this case inflate() will return Z_BUF_ERROR. From the zlib documentation and the source code it is not clear under what circumstances this happens. It could be that it needs to write multiple bytes (all in one go) from its internal state to the output buffer before processing the next chunk of input but but can't because there is not enough space (though my guesses as to the cause are not really relevant). Recovery from Z_BUF_ERROR is pretty simple - just grow the output buffer, update avail_out and call inflate() again. The comp_method_zlib_decomp() function does not handle the case when inflate() returns Z_BUF_ERROR. It treats it as a non-recoverable error and basically aborts the session. Fixes #240
2012-06-14 16:05:23 +02:00 · 2012-06-14 16:05:23 +02:00 · 6f8dd9baff
commit 6f8dd9baff
parent a1c0d97ff9
1 changed files with 38 additions and 65 deletions
--- a/src/comp.c
+++ b/src/comp.c
@ -248,83 +248,56 @@ comp_method_zlib_decomp(LIBSSH2_SESSION * session,
    if (!strm->next_out)
        return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
                              "Unable to allocate decompression buffer");
-    while (strm->avail_in) {
-        int status;
+
+    /* Loop until it's all inflated or hit error */
+    for (;;) {
+        int status, grow_size;
+        size_t out_ofs;
+        char *newout;

        status = inflate(strm, Z_PARTIAL_FLUSH);

-        if (status != Z_OK) {
+        if (status == Z_OK) {
+            if (! strm->avail_in) {
+                /* status is OK and input all used so we're done */
+                break;
+            }
+        } else if (status == Z_BUF_ERROR) {
+            /* This is OK, just drop through to grow the buffer */
+        } else {
+            /* error state */
            LIBSSH2_FREE(session, out);
            _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
                           "unhandled zlib error %d", status);
            return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
                                  "decompression failure");
        }
+
+        /* If we get here we need to grow the output buffer and try again */
+        out_ofs = out_maxlen - strm->avail_out;
        if (strm->avail_in) {
-            size_t out_ofs = out_maxlen - strm->avail_out;
-            char *newout;
+            grow_size = strm->avail_in * 8;
+        } else {
+            /* Not sure how much to grow by */
+            grow_size = 32;
+        }
+        out_maxlen += grow_size;

-            out_maxlen += 8 * strm->avail_in;
+        if ((out_maxlen > (int) payload_limit) && limiter++) {
+            LIBSSH2_FREE(session, out);
+            return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
+                                  "Excessive growth in decompression phase");
+        }

-            if ((out_maxlen > (int) payload_limit) && limiter++) {
-                LIBSSH2_FREE(session, out);
-                return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
-                                      "Excessive growth in decompression phase");
-            }
-
-            newout = LIBSSH2_REALLOC(session, out, out_maxlen);
-            if (!newout) {
-                LIBSSH2_FREE(session, out);
-                return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-                                      "Unable to expand decompression buffer");
-            }
-            out = newout;
-            strm->next_out = (unsigned char *) out + out_ofs;
-            strm->avail_out += 8 * strm->avail_in;
-        } else
-            while (!strm->avail_out) {
-                /* Done with input, might be a byte or two in internal buffer
-                 * during compress.  Or potentially many bytes if it's a
-                 * decompress
-                 */
-                int grow_size = 2048;
-                char *newout;
-
-                if (out_maxlen >= (int) payload_limit) {
-                    LIBSSH2_FREE(session, out);
-                    return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
-                                          "Excessive growth in decompression "
-                                          "phase");
-                }
-
-                if (grow_size > (int) (payload_limit - out_maxlen)) {
-                    grow_size = payload_limit - out_maxlen;
-                }
-
-                out_maxlen += grow_size;
-                strm->avail_out = grow_size;
-
-                newout = LIBSSH2_REALLOC(session, out, out_maxlen);
-                if (!newout) {
-                    LIBSSH2_FREE(session, out);
-                    return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-                                          "Unable to expand final "
-                                          "decompress buffer");
-                }
-                out = newout;
-                strm->next_out = (unsigned char *) out + out_maxlen -
-                    grow_size;
-
-                status = inflate(strm, Z_PARTIAL_FLUSH);
-
-                if (status != Z_OK) {
-                    LIBSSH2_FREE(session, out);
-                    _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
-                                   "unhandled zlib error %d", status);
-                    return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
-                                          "decompression failure");
-                }
-            }
+        newout = LIBSSH2_REALLOC(session, out, out_maxlen);
+        if (!newout) {
+            LIBSSH2_FREE(session, out);
+            return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                                  "Unable to expand decompression buffer");
+        }
+        out = newout;
+        strm->next_out = (unsigned char *) out + out_ofs;
+        strm->avail_out += grow_size;
    }

    *dest = (unsigned char *) out;