openssh-7.6 bug: PermitOpen
Damien Miller
djm at mindrot.org
Thu Oct 5 05:56:54 AEDT 2017
Hi,
Shortly after completing the OpenSSH 7.6 release, I spotted a bug in
sshd_config's PermitOpen directive: it ignores arguments beyond the
second one. I'm pretty annoyed with myself for introducing it and
for not catching it before release, but fortunately it only affects
7.6 and fails-closed so doesn't introduce a vulnerability.
Below is a fix for distributors who package OpenSSH; I've also committed
this to the V_7_6 branch (7c9613fac337).
diff --git a/servconf.c b/servconf.c
index 2c321a4a..95686295 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line,
if (!arg || *arg == '\0')
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
- i = options->num_permitted_opens; /* modified later */
+ value = options->num_permitted_opens; /* modified later */
if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
- if (*activep && i == 0) {
+ if (*activep && value == 0) {
options->num_permitted_opens = 1;
options->permitted_opens = xcalloc(1,
sizeof(*options->permitted_opens));
@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line,
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
fatal("%s line %d: bad port number in "
"PermitOpen", filename, linenum);
- if (*activep && i == 0) {
+ if (*activep && value == 0) {
options->permitted_opens = xrecallocarray(
options->permitted_opens,
options->num_permitted_opens,
More information about the openssh-unix-dev
mailing list