Remote port forwarding in a multiplexed connection: possible "clientspecified" bug

Sami.Hartikainen at Sami.Hartikainen at
Fri Sep 19 00:08:53 EST 2014

> Now the following mux command (on client with ControlMaster connected
> and running and ControlPath set appropriately):
>     $ ssh -O forward -R ':0:localhost:3502' <hostaddr>
> Port ... (set with an empty bind_address) should be bind to wildcard
> address, not localhost. The same -R option given for ControlMaster (or non-
> multiplexed ssh client) works as expected.

(Answering to myself...)

The reason seems to be that the unset bind_address (i.e. NULL) is transformed
into an empty string in mux.c:mux_client_forward():

	    fwd->listen_host == NULL ? "" : fwd->listen_host);

Separation between an unset and an empty bind_address is now lost; ControlMaster
in turn nullifies such an empty listen_addr, resulting in a localhost bind. This happens
in mux.c:process_mux_open_fwd():

	if (*listen_addr == '\0') {
		listen_addr = NULL;

I guess this is done because the Buffer (i.e. the underlying sshbuf) does not differentiate
NULL string from an empty one. And NULL is assumed/preferred here because it's safer.


More information about the openssh-unix-dev mailing list