[Bug 2735] New: Wrong address family handling for tun devices

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jul 3 08:27:42 AEST 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2735

            Bug ID: 2735
           Summary: Wrong address family handling for tun devices
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: Other
                OS: Other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: stepe at centaurus.uberspace.de

Created attachment 3005
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3005&action=edit
Patch to fix address family handling for sys_tun_infilter()

[Also affects sshd.
Affected OSes depend on SSH_TUN_COMPAT_AF and SSH_TUN_PREPEND_AF.]

Hello OpenSSH developers,

I noticed issues with the address family handling for tun devices in
the sys_tun_infilter() and sys_tun_outfilter() functions.

An example symptom is that when using tuns with IPv6 on Linux
(SSH_TUN_COMPAT_AF and SSH_TUN_PREPEND_AF defined), the client sends
tunneled packets with the (fallback) v4 family.

In sys_tun_infilter(), the AF is not always converted to network byte
order. Please see the first attached patch.

In sys_tun_outfilter(), the af pointer is assigned from the integer
return value of ntohl() and then later dereferenced. Please see the
second patch for a proposed fix.
I have/could not test this second patch as I do not have a platform
with SSH_TUN_COMPAT_AF, but not SSH_TUN_PREPEND_AF (at least not that I
know).

Have a nice day,
Peter

PS: Thank you for developing and maintaining OpenSSH and OpenBSD

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list