- djm@cvs.openbsd.org 2009/02/12 03:16:01
[serverloop.c]
tighten check for -R0:... forwarding: only allow dynamic allocation
if want_reply is set in the packet
diff --git a/ChangeLog b/ChangeLog
index d8f8f26..e296e04 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,10 @@
support remote port forwarding with a zero listen port (-R0:...) to
dyamically allocate a listen port at runtime (this is actually
specified in rfc4254); bz#1003 ok markus@
+ - djm@cvs.openbsd.org 2009/02/12 03:16:01
+ [serverloop.c]
+ tighten check for -R0:... forwarding: only allow dynamic allocation
+ if want_reply is set in the packet
20090212
- (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically
@@ -5136,5 +5140,5 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5187 2009/02/14 05:28:21 djm Exp $
+$Id: ChangeLog,v 1.5188 2009/02/14 05:33:09 djm Exp $
diff --git a/serverloop.c b/serverloop.c
index 6244ad7..81cafe6 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.156 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.157 2009/02/12 03:16:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1117,10 +1117,10 @@
/* check permissions */
if (!options.allow_tcp_forwarding ||
- no_port_forwarding_flag
+ no_port_forwarding_flag ||
+ (!want_reply && listen_port == 0)
#ifndef NO_IPPORT_RESERVED_CONCEPT
- || (listen_port != 0 &&
- listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
+ || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
#endif
) {
success = 0;
@@ -1128,7 +1128,8 @@
} else {
/* Start listening on the port */
success = channel_setup_remote_fwd_listener(
- listen_address, listen_port, options.gateway_ports);
+ listen_address, listen_port,
+ &allocated_listen_port, options.gateway_ports);
}
xfree(listen_address);
} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {