openssh-7.6 bug: PermitOpen

Damien Miller djm at mindrot.org
Thu Oct 5 05:56:54 AEDT 2017


Hi,

Shortly after completing the OpenSSH 7.6 release, I spotted a bug in
sshd_config's PermitOpen directive: it ignores arguments beyond the
second one. I'm pretty annoyed with myself for introducing it and
for not catching it before release, but fortunately it only affects
7.6 and fails-closed so doesn't introduce a vulnerability.

Below is a fix for distributors who package OpenSSH; I've also committed
this to the V_7_6 branch (7c9613fac337).

diff --git a/servconf.c b/servconf.c
index 2c321a4a..95686295 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line,
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: missing PermitOpen specification",
 			    filename, linenum);
-		i = options->num_permitted_opens;	/* modified later */
+		value = options->num_permitted_opens;	/* modified later */
 		if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
-			if (*activep && i == 0) {
+			if (*activep && value == 0) {
 				options->num_permitted_opens = 1;
 				options->permitted_opens = xcalloc(1,
 				    sizeof(*options->permitted_opens));
@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line,
 			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
 				fatal("%s line %d: bad port number in "
 				    "PermitOpen", filename, linenum);
-			if (*activep && i == 0) {
+			if (*activep && value == 0) {
 				options->permitted_opens = xrecallocarray(
 				    options->permitted_opens,
 				    options->num_permitted_opens,



More information about the openssh-unix-dev mailing list