Factored send_packet_inner into tx_finalize (DSSH_PRIVATE) which
handles padding, MAC, encrypt, send, and counters given a payload
already in tx_packet[9]. send_packet_inner now copies payload then
calls tx_finalize. drain_tx_queue promoted to DSSH_PRIVATE.
ZC core in ssh-conn.c:
- zc_getbuf_inner: acquires tx_mtx, waits for rekey, drains tx_queue,
checks remote_window/remote_max_packet under buf_mtx, returns
pointer into tx_packet data area past the channel header
- zc_send_inner: fills channel header (msg_type, channel_id,
data_type_code, length) at tx_packet[9], calls tx_finalize,
deducts from remote_window, releases tx_mtx
- zc_cancel_inner: releases tx_mtx without sending
Stream write (dssh_chan_write) rewired: calls zc_getbuf_inner, memcpy, zc_send_inner. Eliminates the per-packet malloc that send_data used. DSSH_ERROR_NOMORE (window full) mapped to 0 bytes sent.
Demux RX data path rewired: handle_channel_data/extended_data call
the channel's zc_cb for new-model channels (releasing buf_mtx first,
setting _Thread_local in_zc_rx guard). Stream channels use
stream_zc_cb which copies into ring buffer under buf_mtx.
Public ZC API: dssh_chan_zc_open, dssh_chan_zc_getbuf,
dssh_chan_zc_send, dssh_chan_zc_cancel. All validate ch, check
in_zc_rx guard, delegate to inner functions.
A malicious peer can flood CHANNEL_REQUESTs (signal, break,
window-change) to grow the event queue without bound. Add a
per-channel max_events cap (default 64, inherited from session).
When the queue is full, the demux thread closes the channel.
- event_queue_push() returns DSSH_ERROR_TOOMANY at cap
- dssh_session_set_max_events() sets default (before start)
- dssh_chan_set_max_events() adjusts per-channel (DSSH_ERROR_INVALID
if cap < current count)
- Pass 0 to disable the cap
- All event_queue_push() call sites now check return values