I think this takes care of the memory issues. However,

it looks like there might be something going on with the
aes-ctr-mt cipher. It seems to be slower than the default
cipher. I need to verify that.

Author: rapier1

packet.c

@@ -961,7 +961,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 		comp->enabled = 1;
 	}
 
-	/* get the maximum number of blocks the cipher can 
+	/* get the maximum number of blocks the cipher can
 	 * handle safely */
 	*max_blocks = cipher_rekey_blocks(enc->cipher);
 
@@ -2236,11 +2236,19 @@ ssh_packet_set_server(struct ssh *ssh)
 	ssh->kex->server = 1; /* XXX unify? */
 }
 
+/* Set the state of the connection to post auth
+ * While we are here also decrease the size of
+ * packet_max_size to something more reasonable.
+ * In this case thats 33k. Which is the size of
+ * the largest packet we expect to see and some space
+ * for overhead. This reduces memory usage in high
+ * BDP environments without impacting performance
+ * -cjr 4/11/23 */
 void
 ssh_packet_set_authenticated(struct ssh *ssh)
 {
 	ssh->state->after_authentication = 1;
-	packet_max_size = 256 * 1024;
+	packet_max_size = SSH_IOBUFSZ + 1024;
 }
 
 void *

sshbuf.c

@@ -27,7 +27,7 @@
 #define SSHBUF_INTERNAL
 #include "sshbuf.h"
 #include "misc.h"
-#include "log.h"
+/* #include "log.h" */
 
 #define BUF_WATERSHED 256*1024
 
@@ -425,8 +425,8 @@ sshbuf_allocate(struct sshbuf *buf, size_t len)
 		 * up being somewhat overallocated but works quickly */
 		need = (4*1024*1024);
 		rlen = ROUNDUP(buf->alloc + need, SSHBUF_SIZE_INC);
-		debug_f ("Post: label: %s, %p, rlen is %zu need is %zu win_max is %zu max_size is %zu",
-			 buf->label, buf, rlen, need, buf->window_max, buf->max_size);
+		/* debug_f ("Post: label: %s, %p, rlen is %zu need is %zu win_max is %zu max_size is %zu", */
+		/* 	 buf->label, buf, rlen, need, buf->window_max, buf->max_size); */
 	}
 	SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));