diff --git a/ChangeLog b/ChangeLog index d8f8f2610..e296e0441 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ support remote port forwarding with a zero listen port (-R0:...) to dyamically allocate a listen port at runtime (this is actually specified in rfc4254); bz#1003 ok markus@ + - djm@cvs.openbsd.org 2009/02/12 03:16:01 + [serverloop.c] + tighten check for -R0:... forwarding: only allow dynamic allocation + if want_reply is set in the packet 20090212 - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically @@ -5136,5 +5140,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5187 2009/02/14 05:28:21 djm Exp $ +$Id: ChangeLog,v 1.5188 2009/02/14 05:33:09 djm Exp $ diff --git a/serverloop.c b/serverloop.c index 6244ad71c..81cafe6ad 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.156 2009/02/12 03:00:56 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.157 2009/02/12 03:16:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1117,10 +1117,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag + no_port_forwarding_flag || + (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT - || (listen_port != 0 && - listen_port < IPPORT_RESERVED && pw->pw_uid != 0) + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) #endif ) { success = 0; @@ -1128,7 +1128,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) } else { /* Start listening on the port */ success = channel_setup_remote_fwd_listener( - listen_address, listen_port, options.gateway_ports); + listen_address, listen_port, + &allocated_listen_port, options.gateway_ports); } xfree(listen_address); } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {