Remote port forwarding in a multiplexed connection: possible "clientspecified" bug
Sami.Hartikainen at teleste.com
Sami.Hartikainen at teleste.com
Fri Sep 19 00:08:53 EST 2014
> Now the following mux command (on client with ControlMaster connected
> and running and ControlPath set appropriately):
>
> $ ssh -O forward -R ':0:localhost:3502' <hostaddr>
>
> Port ... (set with an empty bind_address) should be bind to wildcard
> address, not localhost. The same -R option given for ControlMaster (or non-
> multiplexed ssh client) works as expected.
(Answering to myself...)
The reason seems to be that the unset bind_address (i.e. NULL) is transformed
into an empty string in mux.c:mux_client_forward():
buffer_put_cstring(&m,
fwd->listen_host == NULL ? "" : fwd->listen_host);
Separation between an unset and an empty bind_address is now lost; ControlMaster
in turn nullifies such an empty listen_addr, resulting in a localhost bind. This happens
in mux.c:process_mux_open_fwd():
if (*listen_addr == '\0') {
free(listen_addr);
listen_addr = NULL;
}
I guess this is done because the Buffer (i.e. the underlying sshbuf) does not differentiate
NULL string from an empty one. And NULL is assumed/preferred here because it's safer.
--
Sami
More information about the openssh-unix-dev
mailing list