sshd Failing New Inbound Connections

Demi Marie Obenour demiobenour at gmail.com
Tue Mar 22 22:26:11 AEDT 2022


On 3/21/22 15:08, Thorsten Glaser wrote:
> On Mon, 21 Mar 2022, Steffen Nurpmeso wrote:
> 
>>  |> actually even standardized that "octal numbers" are not supported
>>
>> ..inet_pton..
> 
> Huh. Not that but inet_aton on GNU, and other functions apparently.
> 
> This is idiotic, and I guess the same POSIX that insists on octals
> for leading-zero numbers in shell, causing no small amount of bugs,
> is responsible. Hmph.
> 
>>  |> 127.000.000.001 in form fields etc.
> 
> |            $ ./a.out 226.000.000.037      # Last byte is in octal
> 
> Given that these may be either decimal or octal, depending on where
> they come from, it’s probably for the best to reject them.

Not only is it best practice to reject them, failing to do so has
caused security holes in the past.  I believe both Go and Rust
reject them nowadays for that reason.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220322/37d19e57/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220322/37d19e57/attachment.asc>


More information about the openssh-unix-dev mailing list