Announce: OpenSSH 6.5 released

[Corinna Vinschen]

Hi guys,

On Jan 29 23:34, Damien Miller wrote:
> Changes since OpenSSH 6.4
> =========================
> [...]
> Bugfixes:
> 
>  * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
>    certificates.
> 
>  * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.

there's a bug in this change.

Try this as user root:

  $ ssh -V
  OpenSSH_6.5p1, [...]
  $ ssh -oUsePrivilegedPort=yes remote-machine
  getaddrinfo: (null): Name or service not known
  getaddrinfo: (null): Name or service not known
  ssh: connect to host remote-machine port 22: No such file or directory

The bug is in sshconnect.c, function ssh_create_socket().  The only
way to avoid a call to to getaddrinfo is if *either* options.bind_address
is non-NULL, *or* UsePrivilegedPort is set to no:

  /* Bind the socket to an alternative local IP address */
  if (options.bind_address == NULL && !privileged)
	  return sock;

However, if UsePrivilegedPort is set to yes, options.bind_address will be
checked in the subsequent getaddrinfo call, even if it's NULL, because the
-b option hasn't been used.

The result is, both input parameters to getaddrinfo() are NULL, so
getaddrinfo() returns with EAI_NONAME, thus breaking the UsePrivilegedPort
functionality, unless -b is given as well.

Here's a patch:

Index: sshconnect.c
===================================================================
RCS file: /cvs/openssh/sshconnect.c,v
retrieving revision 1.217
diff -u -p -r1.217 sshconnect.c
--- sshconnect.c	9 Jan 2014 23:59:24 -0000	1.217
+++ sshconnect.c	3 Feb 2014 10:44:20 -0000
@@ -269,7 +269,7 @@ static int
 ssh_create_socket(int privileged, struct addrinfo *ai)
 {
 	int sock, r, gaierr;
-	struct addrinfo hints, *res;
+	struct addrinfo hints, *res = NULL;
 
 	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
 	if (sock < 0) {
@@ -282,17 +282,19 @@ ssh_create_socket(int privileged, struct
 	if (options.bind_address == NULL && !privileged)
 		return sock;
 
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = ai->ai_family;
-	hints.ai_socktype = ai->ai_socktype;
-	hints.ai_protocol = ai->ai_protocol;
-	hints.ai_flags = AI_PASSIVE;
-	gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
-	if (gaierr) {
-		error("getaddrinfo: %s: %s", options.bind_address,
-		    ssh_gai_strerror(gaierr));
-		close(sock);
-		return -1;
+	if (options.bind_address) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = ai->ai_family;
+		hints.ai_socktype = ai->ai_socktype;
+		hints.ai_protocol = ai->ai_protocol;
+		hints.ai_flags = AI_PASSIVE;
+		gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+		if (gaierr) {
+			error("getaddrinfo: %s: %s", options.bind_address,
+			    ssh_gai_strerror(gaierr));
+			close(sock);
+			return -1;
+		}
 	}
 	/*
 	 * If we are running as root and want to connect to a privileged
@@ -300,7 +302,7 @@ ssh_create_socket(int privileged, struct
 	 */
 	if (privileged) {
 		PRIV_START;
-		r = bindresvport_sa(sock, res->ai_addr);
+		r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
 		PRIV_END;
 		if (r < 0) {
 			error("bindresvport_sa: af=%d %s", ai->ai_family,




-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140203/528f948b/attachment.bin>