Port Forward Limit?

Damien Miller djm at mindrot.org
Tue Sep 30 15:21:17 EST 2014


On Tue, 30 Sep 2014, Damien Miller wrote:

> I'm not sure how to disable this check (which is broken) without turning
> off the rest of FORTIFY_SOURCE (which gives some good hardening).
> Suggestions welcome.

This is the best that I've come up with for now:

Index: openbsd-compat/Makefile.in
===================================================================
RCS file: /var/cvs/openssh/openbsd-compat/Makefile.in,v
retrieving revision 1.55
diff -u -p -r1.55 Makefile.in
--- openbsd-compat/Makefile.in	4 Feb 2014 00:37:50 -0000	1.55
+++ openbsd-compat/Makefile.in	30 Sep 2014 05:19:06 -0000
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 
 OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
 
-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
 
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
Index: openbsd-compat/kludge-fd_set.c
===================================================================
RCS file: openbsd-compat/kludge-fd_set.c
diff -N openbsd-compat/kludge-fd_set.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ openbsd-compat/kludge-fd_set.c	30 Sep 2014 05:19:06 -0000
@@ -0,0 +1,28 @@
+/* Placed in the public domain.  */
+
+/*
+ * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b)
+ * where n > FD_SETSIZE. This breaks OpenSSH and other programs that
+ * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a
+ * function compiled without _FORTIFY_SOURCE.
+ */
+
+#include "config.h"
+
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   undef FORTIFY_SOURCE
+#   undef __USE_FORTIFY_LEVEL
+#   include <sys/socket.h>
+void kludge_FD_SET(int n, fd_set *set) {
+	FD_SET(n, set);
+}
+int kludge_FD_ISSET(int n, fd_set *set) {
+	return FD_ISSET(n, set);
+}
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
Index: openbsd-compat/openbsd-compat.h
===================================================================
RCS file: /var/cvs/openssh/openbsd-compat/openbsd-compat.h,v
retrieving revision 1.61
diff -u -p -r1.61 openbsd-compat.h
--- openbsd-compat/openbsd-compat.h	4 Feb 2014 00:18:23 -0000	1.61
+++ openbsd-compat/openbsd-compat.h	30 Sep 2014 05:19:06 -0000
@@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw);
 #include "port-tun.h"
 #include "port-uw.h"
 
+/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   include <sys/socket.h>  /* Ensure include guard is defined */
+#   undef FD_SET
+#   undef FD_ISSET
+#   define FD_SET(n, set)	kludge_FD_SET(n, set)
+#   define FD_ISSET(n, set)	kludge_FD_ISSET(n, set)
+void kludge_FD_SET(int, fd_set *);
+int kludge_FD_ISSET(int, fd_set *);
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
 #endif /* _OPENBSD_COMPAT_H */


More information about the openssh-unix-dev mailing list