From 697a04ae745ad39bb3b6c700fdbadbd1cddc3d6e Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 11 Jun 2024 02:00:30 +0000
Subject: [PATCH] reap the pre-auth [net] child if it hangs up during privsep
 message sending, not just receiving

---
 usr.bin/ssh/monitor_wrap.c | 61 +++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 24 deletions(-)

diff --git a/usr.bin/ssh/monitor_wrap.c b/usr.bin/ssh/monitor_wrap.c
index 9b06f152f20..b59d1847cfc 100644
--- a/usr.bin/ssh/monitor_wrap.c
+++ b/usr.bin/ssh/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.133 2024/06/11 00:44:52 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.134 2024/06/11 02:00:30 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -117,24 +117,6 @@ mm_is_monitor(void)
 	return (pmonitor && pmonitor->m_pid > 0);
 }
 
-void
-mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
-{
-	size_t mlen = sshbuf_len(m);
-	u_char buf[5];
-
-	debug3_f("entering, type %d", type);
-
-	if (mlen >= 0xffffffff)
-		fatal_f("bad length %zu", mlen);
-	POKE_U32(buf, mlen + 1);
-	buf[4] = (u_char) type;		/* 1st byte of payload is mesg-type */
-	if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
-		fatal_f("write: %s", strerror(errno));
-	if (atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen)
-		fatal_f("write: %s", strerror(errno));
-}
-
 static void
 mm_reap(void)
 {
@@ -166,12 +148,42 @@ mm_reap(void)
 	}
 }
 
+void
+mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
+{
+	size_t mlen = sshbuf_len(m);
+	u_char buf[5];
+
+	debug3_f("entering, type %d", type);
+
+	if (mlen >= 0xffffffff)
+		fatal_f("bad length %zu", mlen);
+	POKE_U32(buf, mlen + 1);
+	buf[4] = (u_char) type;		/* 1st byte of payload is mesg-type */
+	if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf)) {
+		if (errno == EPIPE) {
+			debug3_f("monitor fd closed (header)");
+			mm_reap();
+			cleanup_exit(255);
+		}
+		fatal_f("write: %s", strerror(errno));
+	}
+	if (atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) {
+		if (errno == EPIPE) {
+			debug3_f("monitor fd closed (body)");
+			mm_reap();
+			cleanup_exit(255);
+		}
+		fatal_f("write: %s", strerror(errno));
+	}
+}
+
 void
 mm_request_receive(int sock, struct sshbuf *m)
 {
 	u_char buf[4], *p = NULL;
 	u_int msg_len;
-	int oerrno, r;
+	int r;
 
 	debug3_f("entering");
 
@@ -190,11 +202,12 @@ mm_request_receive(int sock, struct sshbuf *m)
 	if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
 		fatal_fr(r, "reserve");
 	if (atomicio(read, sock, p, msg_len) != msg_len) {
-		oerrno = errno;
-		error_f("read: %s", strerror(errno));
-		if (oerrno == EPIPE)
+		if (errno == EPIPE) {
+			debug3_f("monitor fd closed");
 			mm_reap();
-		cleanup_exit(255);
+			cleanup_exit(255);
+		}
+		fatal_f("read: %s", strerror(errno));
 	}
 }
 
-- 
2.20.1