[Bug 3730] Integer overflow when adding 6000 and display_number

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Dec 4 22:40:38 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3730

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Damien Miller from comment #1)
> > The display_number variable is read from a string containing the
> > value of the DISPLAY environment variable
> 
> That is not correct. This code is used to *set* the DISPLAY
> environment variable. The starting value comes from the sshd_config
> X11DisplayOffset configuration option.

There's both.

x11_create_display_inet() uses X11DisplayOffset as a starting point to
figure out what port sshd(8) should try to bind to, after which it sets
$DISPLAY on the server side to point to that.  This is constrained by
MAX_DISPLAYS (1000), but it's got to fit inside a 16-bit port number. 
So in theory the admin could set X11DisplayOffset higher than the
16-bit port number.

x11_connect_display() does parse $DISPLAY to figure out where ssh(1)
should send the forwarded connections to.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list