Attachment #1544 for bug #1482




channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
{
	char *p, *host;
	u_int len, have, i, found, need;
	char username[256];
	struct {
		u_int8_t version;

	if (have < len)
		return 0;
	p = buffer_ptr(&c->input);

	need = 1;
	/* SOCKS4A uses an invalid IP address 0.0.0.x */
	if (!p[4] && !p[5] && !p[6] && p[7]) {
		debug2("channel %d: socks4a request", c->self);
		/* ... and needs an extra string (the hostname) */
		need = 2;
	}
	/* Check for terminating NUL on the string(s) */
	for (found = 0, i = len; i < have; i++) {
		if (p[i] == '\0') {
			found++;
			if (found == need)
				break;
		}
		if (i > 1024) {
			/* the peer is probably sending garbage */

			return -1;
		}
	}
	if (found < need)
		return 0;
	buffer_get(&c->input, (char *)&s4_req.version, 1);
	buffer_get(&c->input, (char *)&s4_req.command, 1);

	p = buffer_ptr(&c->input);
	len = strlen(p);
	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
	len++;					/* trailing '\0' */
	if (len > have)
		fatal("channel %d: decode socks4: len %d > have %d",
		    c->self, len, have);
	strlcpy(username, p, sizeof(username));
	buffer_consume(&c->input, len);
	buffer_consume(&c->input, 1);		/* trailing '\0' */

	if (need == 1) {			/* SOCKS4: one string */
		host = inet_ntoa(s4_req.dest_addr);
		strlcpy(c->path, host, sizeof(c->path));
	} else {				/* SOCKS4A: two strings */
		have = buffer_len(&c->input);
		p = buffer_ptr(&c->input);
		len = strlen(p);
		debug2("channel %d: decode socks4a: host %s/%d", c->self, p,
		       len);
		len++;				/* trailing '\0' */
		if (len > have)
			fatal("channel %d: decode socks4a: len %d > have %d",
			      c->self, len, have);
		strlcpy(c->path, p, sizeof(c->path));
		buffer_consume(&c->input, len);
	}
	c->host_port = ntohs(s4_req.dest_port);

	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
	    c->self, c->path, c->host_port, s4_req.command);

	if (s4_req.command != 1) {
		debug("channel %d: cannot handle: socks4 cn %d",

Return to bug 1482

Lines 1028-1034 static int Link Here

(-)openssh-5.0p1/channels.c~ (-8 / +32 lines)
1028	channel_decode_socks4(Channel c, fd_set readset, fd_set *writeset)	1028	channel_decode_socks4(Channel c, fd_set readset, fd_set *writeset)
1029	{	1029	{
1030	char p, host;	1030	char p, host;
1031	u_int len, have, i, found;	1031	u_int len, have, i, found, need;
1032	char username[256];	1032	char username[256];
1033	struct {	1033	struct {
1034	u_int8_t version;	1034	u_int8_t version;
Lines 1044-1053 channel_decode_socks4(Channel *c, fd_set Link Here
1044	if (have < len)	1044	if (have < len)
1045	return 0;	1045	return 0;
1046	p = buffer_ptr(&c->input);	1046	p = buffer_ptr(&c->input);
		1047
		1048	need = 1;
		1049	/* SOCKS4A uses an invalid IP address 0.0.0.x */
		1050	if (!p[4] && !p[5] && !p[6] && p[7]) {
		1051	debug2("channel %d: socks4a request", c->self);
		1052	/* ... and needs an extra string (the hostname) */
		1053	need = 2;
		1054	}
		1055	/* Check for terminating NUL on the string(s) */
1047	for (found = 0, i = len; i < have; i++) {	1056	for (found = 0, i = len; i < have; i++) {
1048	if (p[i] == '\0') {	1057	if (p[i] == '\0') {
1049	found = 1;	1058	found++;
1050	break;	1059	if (found == need)
		1060	break;
1051	}	1061	}
1052	if (i > 1024) {	1062	if (i > 1024) {
1053	/* the peer is probably sending garbage */	1063	/* the peer is probably sending garbage */
Lines 1056-1062 channel_decode_socks4(Channel *c, fd_set Link Here
1056	return -1;	1066	return -1;
1057	}	1067	}
1058	}	1068	}
1059	if (!found)	1069	if (found < need)
1060	return 0;	1070	return 0;
1061	buffer_get(&c->input, (char *)&s4_req.version, 1);	1071	buffer_get(&c->input, (char *)&s4_req.version, 1);
1062	buffer_get(&c->input, (char *)&s4_req.command, 1);	1072	buffer_get(&c->input, (char *)&s4_req.command, 1);
Lines 1066-1084 channel_decode_socks4(Channel *c, fd_set Link Here
1066	p = buffer_ptr(&c->input);	1076	p = buffer_ptr(&c->input);
1067	len = strlen(p);	1077	len = strlen(p);
1068	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);	1078	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
		1079	len++; /* trailing '\0' */
1069	if (len > have)	1080	if (len > have)
1070	fatal("channel %d: decode socks4: len %d > have %d",	1081	fatal("channel %d: decode socks4: len %d > have %d",
1071	c->self, len, have);	1082	c->self, len, have);
1072	strlcpy(username, p, sizeof(username));	1083	strlcpy(username, p, sizeof(username));
1073	buffer_consume(&c->input, len);	1084	buffer_consume(&c->input, len);
1074	buffer_consume(&c->input, 1); /* trailing '\0' */
1075		1085
1076	host = inet_ntoa(s4_req.dest_addr);	1086	if (need == 1) { /* SOCKS4: one string */
1077	strlcpy(c->path, host, sizeof(c->path));	1087	host = inet_ntoa(s4_req.dest_addr);
		1088	strlcpy(c->path, host, sizeof(c->path));
		1089	} else { /* SOCKS4A: two strings */
		1090	have = buffer_len(&c->input);
		1091	p = buffer_ptr(&c->input);
		1092	len = strlen(p);
		1093	debug2("channel %d: decode socks4a: host %s/%d", c->self, p,
		1094	len);
		1095	len++; /* trailing '\0' */
		1096	if (len > have)
		1097	fatal("channel %d: decode socks4a: len %d > have %d",
		1098	c->self, len, have);
		1099	strlcpy(c->path, p, sizeof(c->path));
		1100	buffer_consume(&c->input, len);
		1101	}
1078	c->host_port = ntohs(s4_req.dest_port);	1102	c->host_port = ntohs(s4_req.dest_port);
1079		1103
1080	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",	1104	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1081	c->self, host, c->host_port, s4_req.command);	1105	c->self, c->path, c->host_port, s4_req.command);
1082		1106
1083	if (s4_req.command != 1) {	1107	if (s4_req.command != 1) {
1084	debug("channel %d: cannot handle: socks4 cn %d",	1108	debug("channel %d: cannot handle: socks4 cn %d",