tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-25 23:05:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
Return true reason for port forwarding failures where
feasible rather than always "administratively prohibited".  bz#2674, ok djm@

Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
This commit is contained in:
dtucker@openbsd.org 2017-02-01 02:59:09 +00:00 committed by Darren Tucker
parent 6ba9f89383
commit 858252fb1d
3 changed files with 39 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.356 2016/10/18 17:32:54 dtucker Exp $ */ /* $OpenBSD: channels.c,v 1.357 2017/02/01 02:59:09 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -3065,7 +3065,7 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
} }
packet_check_eom(); packet_check_eom();
c = channel_connect_to_port(host, host_port, c = channel_connect_to_port(host, host_port,
"connected socket", originator_string); "connected socket", originator_string, NULL, NULL);
free(originator_string); free(originator_string);
free(host); free(host);
if (c == NULL) { if (c == NULL) {
@ -4026,9 +4026,13 @@ channel_connect_ctx_free(struct channel_connect *cctx)
memset(cctx, 0, sizeof(*cctx)); memset(cctx, 0, sizeof(*cctx));
} }
/* Return CONNECTING channel to remote host:port or local socket path */ /*
* Return CONNECTING channel to remote host:port or local socket path,
* passing back the failure reason if appropriate.
*/
static Channel * static Channel *
connect_to(const char *name, int port, char *ctype, char *rname) connect_to_reason(const char *name, int port, char *ctype, char *rname,
int *reason, const char **errmsg)
{ {
struct addrinfo hints; struct addrinfo hints;
int gaierr; int gaierr;
@ -4069,7 +4073,12 @@ connect_to(const char *name, int port, char *ctype, char *rname)
hints.ai_family = IPv4or6; hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM; hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%d", port); snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) { if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop))
!= 0) {
if (errmsg != NULL)
*errmsg = ssh_gai_strerror(gaierr);
if (reason != NULL)
*reason = SSH2_OPEN_CONNECT_FAILED;
error("connect_to %.100s: unknown host (%s)", name, error("connect_to %.100s: unknown host (%s)", name,
ssh_gai_strerror(gaierr)); ssh_gai_strerror(gaierr));
return NULL; return NULL;
@ -4092,6 +4101,13 @@ connect_to(const char *name, int port, char *ctype, char *rname)
return c; return c;
} }
/* Return CONNECTING channel to remote host:port or local socket path */
static Channel *
connect_to(const char *name, int port, char *ctype, char *rname)
{
return connect_to_reason(name, port, ctype, rname, NULL, NULL);
}
/* /*
* returns either the newly connected channel or the downstream channel * returns either the newly connected channel or the downstream channel
* that needs to deal with this connection. * that needs to deal with this connection.
@ -4136,7 +4152,8 @@ channel_connect_by_listen_path(const char *path, char *ctype, char *rname)
/* Check if connecting to that port is permitted and connect. */ /* Check if connecting to that port is permitted and connect. */
Channel * Channel *
channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname) channel_connect_to_port(const char *host, u_short port, char *ctype,
char *rname, int *reason, const char **errmsg)
{ {
int i, permit, permit_adm = 1; int i, permit, permit_adm = 1;
@ -4161,9 +4178,11 @@ channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname
if (!permit || !permit_adm) { if (!permit || !permit_adm) {
logit("Received request to connect to host %.100s port %d, " logit("Received request to connect to host %.100s port %d, "
"but the request was denied.", host, port); "but the request was denied.", host, port);
if (reason != NULL)
*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
return NULL; return NULL;
} }
return connect_to(host, port, ctype, rname); return connect_to_reason(host, port, ctype, rname, reason, errmsg);
} }
/* Check if connecting to that path is permitted and connect. */ /* Check if connecting to that path is permitted and connect. */

5
channels.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.120 2016/10/18 17:32:54 dtucker Exp $ */ /* $OpenBSD: channels.h,v 1.121 2017/02/01 02:59:09 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -275,7 +275,8 @@ void channel_update_permitted_opens(int, int);
void channel_clear_permitted_opens(void); void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void); void channel_clear_adm_permitted_opens(void);
void channel_print_adm_permitted_opens(void); void channel_print_adm_permitted_opens(void);
Channel *channel_connect_to_port(const char *, u_short, char *, char *); Channel *channel_connect_to_port(const char *, u_short, char *, char *, int *,
const char **);
Channel *channel_connect_to_path(const char *, char *, char *); Channel *channel_connect_to_path(const char *, char *, char *);
Channel *channel_connect_stdio_fwd(const char*, u_short, int, int); Channel *channel_connect_stdio_fwd(const char*, u_short, int, int);
Channel *channel_connect_by_listen_address(const char *, u_short, Channel *channel_connect_by_listen_address(const char *, u_short,

17
serverloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.190 2017/01/04 05:37:40 djm Exp $ */ /* $OpenBSD: serverloop.c,v 1.191 2017/02/01 02:59:09 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -430,7 +430,7 @@ server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
} }
static Channel * static Channel *
server_request_direct_tcpip(void) server_request_direct_tcpip(int *reason, const char **errmsg)
{ {
Channel *c = NULL; Channel *c = NULL;
char *target, *originator; char *target, *originator;
@ -449,11 +449,13 @@ server_request_direct_tcpip(void)
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag && !options.disable_forwarding) { !no_port_forwarding_flag && !options.disable_forwarding) {
c = channel_connect_to_port(target, target_port, c = channel_connect_to_port(target, target_port,
"direct-tcpip", "direct-tcpip"); "direct-tcpip", "direct-tcpip", reason, errmsg);
} else { } else {
logit("refused local port forward: " logit("refused local port forward: "
"originator %s port %d, target %s port %d", "originator %s port %d, target %s port %d",
originator, originator_port, target, target_port); originator, originator_port, target, target_port);
if (reason != NULL)
*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
} }
free(originator); free(originator);
@ -581,7 +583,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
{ {
Channel *c = NULL; Channel *c = NULL;
char *ctype; char *ctype;
int rchan; const char *errmsg = NULL;
int rchan, reason = SSH2_OPEN_CONNECT_FAILED;
u_int rmaxpack, rwindow, len; u_int rmaxpack, rwindow, len;
ctype = packet_get_string(&len); ctype = packet_get_string(&len);
@ -595,7 +598,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
if (strcmp(ctype, "session") == 0) { if (strcmp(ctype, "session") == 0) {
c = server_request_session(); c = server_request_session();
} else if (strcmp(ctype, "direct-tcpip") == 0) { } else if (strcmp(ctype, "direct-tcpip") == 0) {
c = server_request_direct_tcpip(); c = server_request_direct_tcpip(&reason, &errmsg);
} else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) { } else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {
c = server_request_direct_streamlocal(); c = server_request_direct_streamlocal();
} else if (strcmp(ctype, "tun@openssh.com") == 0) { } else if (strcmp(ctype, "tun@openssh.com") == 0) {
@ -618,9 +621,9 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
debug("server_input_channel_open: failure %s", ctype); debug("server_input_channel_open: failure %s", ctype);
packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(rchan); packet_put_int(rchan);
packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); packet_put_int(reason);
if (!(datafellows & SSH_BUG_OPENFAILURE)) { if (!(datafellows & SSH_BUG_OPENFAILURE)) {
packet_put_cstring("open failed"); packet_put_cstring(errmsg ? errmsg : "open failed");
packet_put_cstring(""); packet_put_cstring("");
} }
packet_send(); packet_send();