Attachment #2615 for bug #2393

View | Details | Raw Unified | Return to bug 2393
Collapse All | Expand All




	case SSH_CHANNEL_LARVAL:
	case SSH_CHANNEL_CONNECTING:
	case SSH_CHANNEL_DYNAMIC:
	case SSH_CHANNEL_RDYNAMIC:
	case SSH_CHANNEL_OPENING:
	case SSH_CHANNEL_OPEN:
	case SSH_CHANNEL_INPUT_DRAINING:

			continue;
		case SSH_CHANNEL_OPENING:
		case SSH_CHANNEL_OPEN:
		case SSH_CHANNEL_RDYNAMIC:
		case SSH_CHANNEL_X11_OPEN:
		case SSH_CHANNEL_MUX_CLIENT:
			return 1;

		case SSH_CHANNEL_LARVAL:
		case SSH_CHANNEL_AUTH_SOCKET:
		case SSH_CHANNEL_OPEN:
		case SSH_CHANNEL_RDYNAMIC:
		case SSH_CHANNEL_X11_OPEN:
			return i;
		case SSH_CHANNEL_INPUT_DRAINING:

		case SSH_CHANNEL_OPENING:
		case SSH_CHANNEL_CONNECTING:
		case SSH_CHANNEL_DYNAMIC:
		case SSH_CHANNEL_RDYNAMIC:
		case SSH_CHANNEL_OPEN:
		case SSH_CHANNEL_X11_OPEN:
		case SSH_CHANNEL_INPUT_DRAINING:

/* try to decode a socks4 header */
/* ARGSUSED */
static int
channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset,
	Buffer * input, Buffer * output)
{
	char *p, *host;
	u_int len, have, i, found, need;


	debug2("channel %d: decode socks4", c->self);

	have = buffer_len(input);
	len = sizeof(s4_req);
	if (have < len)
		return 0;
	p = (char *)buffer_ptr(input);

	need = 1;
	/* SOCKS4A uses an invalid IP address 0.0.0.x */

	}
	if (found < need)
		return 0;
	buffer_get(input, (char *)&s4_req.version, 1);
	buffer_get(input, (char *)&s4_req.command, 1);
	buffer_get(input, (char *)&s4_req.dest_port, 2);
	buffer_get(input, (char *)&s4_req.dest_addr, 4);
	have = buffer_len(input);
	p = (char *)buffer_ptr(input);
	if (memchr(p, '\0', have) == NULL) {
		error("channel %d: decode socks4: user not nul terminated",
		    c->self);
		return -1;
	}
	len = strlen(p);
	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
	len++;					/* trailing '\0' */
	if (len > have) {
		error("channel %d: decode socks4: len %d > have %d",
		    c->self, len, have);
		return -1;
	}
	strlcpy(username, p, sizeof(username));
	buffer_consume(input, len);

	free(c->path);
	c->path = NULL;

		host = inet_ntoa(s4_req.dest_addr);
		c->path = xstrdup(host);
	} else {				/* SOCKS4A: two strings */
		have = buffer_len(input);
		p = (char *)buffer_ptr(input);
		len = strlen(p);
		debug2("channel %d: decode socks4a: host %s/%d",
		    c->self, p, len);
		len++;				/* trailing '\0' */
		if (len > have) {
			error("channel %d: decode socks4a: len %d > have %d",
			    c->self, len, have);
			return -1;
		}
		if (len > NI_MAXHOST) {
			error("channel %d: hostname \"%.100s\" too long",
			    c->self, p);
			return -1;
		}
		c->path = xstrdup(p);
		buffer_consume(input, len);
	}
	c->host_port = ntohs(s4_req.dest_port);


	s4_rsp.command = 90;			/* cd: req granted */
	s4_rsp.dest_port = 0;			/* ignored */
	s4_rsp.dest_addr.s_addr = INADDR_ANY;	/* ignored */
	buffer_append(output, &s4_rsp, sizeof(s4_rsp));
	return 1;
}



/* ARGSUSED */
static int
channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset,
	Buffer * input, Buffer * output)
{
	struct {
		u_int8_t version;

	u_int have, need, i, found, nmethods, addrlen, af;

	debug2("channel %d: decode socks5", c->self);
	p = buffer_ptr(input);
	if (p[0] != 0x05)
		return -1;
	have = buffer_len(input);
	if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
		/* format: ver | nmethods | methods */
		if (have < 2)

			    c->self);
			return -1;
		}
		buffer_consume(input, nmethods + 2);
		buffer_put_char(output, 0x05);		/* version */
		buffer_put_char(output, SSH_SOCKS5_NOAUTH);	/* method */

		if (c->type == SSH_CHANNEL_DYNAMIC)
			FD_SET(c->sock, writeset);

		c->flags |= SSH_SOCKS5_AUTHDONE;
		debug2("channel %d: socks5 auth done", c->self);
		return 0;				/* need more */

		need++;
	if (have < need)
		return 0;
	buffer_consume(input, sizeof(s5_req));
	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
		buffer_consume(input, 1);    /* host string length */
	buffer_get(input, &dest_addr, addrlen);
	buffer_get(input, (char *)&dest_port, 2);
	dest_addr[addrlen] = '\0';
	free(c->path);
	c->path = NULL;

	s5_rsp.atyp = SSH_SOCKS5_IPV4;
	dest_port = 0;				/* ignored */

	buffer_append(output, &s5_rsp, sizeof(s5_rsp));
	buffer_put_int(output, ntohl(INADDR_ANY)); /* bind address */
	buffer_append(output, &dest_port, sizeof(dest_port));
	return 1;
}


{
	u_char *p;
	u_int have;
	int ret, gaierr, sock = -1;
	char strport[NI_MAXSERV];
	Buffer * inbuf, * outbuf;
	struct addrinfo hints;
	struct channel_connect cctx;

	if (c->type == SSH_CHANNEL_DYNAMIC) {
		inbuf = &c->input;
		outbuf = &c->output;
	} else if (c->type == SSH_CHANNEL_RDYNAMIC) {
		inbuf = &c->output;
		outbuf = &c->input;
	} else {
		fatal("cannot happen");
	}

	have = buffer_len(inbuf);
	debug2("channel %d: pre_dynamic: have %d", c->self, have);
	/* buffer_dump(&c->input); */
	/* check if the fixed size part of the packet is in buffer. */
	if (have < 3) {
		/* need more */
		if (c->type == SSH_CHANNEL_DYNAMIC)
			FD_SET(c->sock, readset);

		return;
	}
	/* try to guess the protocol */
	p = buffer_ptr(inbuf);
	switch (p[0]) {
	case 0x04:
		ret = channel_decode_socks4(c, readset, writeset, inbuf, outbuf);
		break;
	case 0x05:
		ret = channel_decode_socks5(c, readset, writeset, inbuf, outbuf);
		break;
	default:
		ret = -1;
		break;
	}
	if (ret < 0) {
		if (c->type == SSH_CHANNEL_DYNAMIC)
			chan_mark_dead(c);
		else {
			close(c->sock);
			c->sock = c->rfd = c->wfd = c->efd = -1;
			buffer_clear(&c->input);
			buffer_clear(&c->output);
			if (compat20)
				packet_start(SSH2_MSG_CHANNEL_CLOSE);
			else
				packet_start(SSH_MSG_CHANNEL_CLOSE);
			packet_put_int(c->remote_id);
			packet_send();
			c->flags |= CHAN_CLOSE_SENT;
			c->type = SSH_CHANNEL_ABANDONED;
		}
	} else if (ret == 0) {
		debug2("channel %d: pre_dynamic: need more", c->self);
		/* need more */
		if (c->type == SSH_CHANNEL_DYNAMIC)
			FD_SET(c->sock, readset);
	} else {
		if (c->type == SSH_CHANNEL_DYNAMIC) {
			/* switch to the next state */
			c->type = SSH_CHANNEL_OPENING;
			port_open_helper(c, "direct-tcpip");
		} else {
			close(c->sock);
			c->sock = c->rfd = c->wfd = c->efd = -1;
			memset(&hints, 0, sizeof(hints));
			hints.ai_family = IPv4or6;
			hints.ai_socktype = SOCK_STREAM;
			snprintf(strport, sizeof strport, "%d", c->host_port);
			if ((gaierr = getaddrinfo(c->path, strport, &hints, &cctx.aitop)) != 0) {
				error("channel_pre_dynamic %.100s: unknown host (%s)", c->path,
					ssh_gai_strerror(gaierr));
				buffer_clear(&c->input);
				buffer_clear(&c->output);
				if (compat20)
					packet_start(SSH2_MSG_CHANNEL_CLOSE);
				else
					packet_start(SSH_MSG_CHANNEL_CLOSE);
				packet_put_int(c->remote_id);
				packet_send();
				c->flags |= CHAN_CLOSE_SENT;
				c->type = SSH_CHANNEL_ABANDONED;
				return;
			}

			cctx.host = xstrdup(c->path);
			cctx.port = c->host_port;
			cctx.ai = cctx.aitop;

			if ((sock = connect_next(&cctx)) == -1) {
				error("connect to %.100s port %d failed: %s",
					c->path, c->host_port, strerror(errno));
				channel_connect_ctx_free(&cctx);
				buffer_clear(&c->input);
				buffer_clear(&c->output);
				if (compat20)
					packet_start(SSH2_MSG_CHANNEL_CLOSE);
				else
					packet_start(SSH_MSG_CHANNEL_CLOSE);
				packet_put_int(c->remote_id);
				packet_send();
				c->flags |= CHAN_CLOSE_SENT;
				c->type = SSH_CHANNEL_ABANDONED;
				return;
			}

			c->type = SSH_CHANNEL_CONNECTING;
			c->connect_ctx = cctx;
			c->rfd = sock;
			c->wfd = sock;
			c->flags |= CHAN_RD_ACKD;
			channel_register_fds(c, c->rfd, c->wfd, c->efd, 0, 1, 0);
			FD_SET(c->sock, writeset);
		}
	}
}


static void
channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset)
{
	int err = 0, sock, ackd = 0;
	socklen_t sz = sizeof(err);

	if (FD_ISSET(c->sock, writeset)) {

			    c->self, c->connect_ctx.host, c->connect_ctx.port);
			channel_connect_ctx_free(&c->connect_ctx);
			c->type = SSH_CHANNEL_OPEN;
			if (c->flags & CHAN_RD_ACKD) {
				ackd = 1;
				c->flags &= ~CHAN_RD_ACKD;
				packet_put_int(c->self);
				packet_put_int(c->local_window);
				packet_put_int(c->local_maxpacket);
			} else {
				if (compat20) {
					packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
					packet_put_int(c->remote_id);
					packet_put_int(c->self);
					packet_put_int(c->local_window);
					packet_put_int(c->local_maxpacket);
				} else {
					packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
					packet_put_int(c->remote_id);
					packet_put_int(c->self);
				}
			}
		} else {
			debug("channel %d: connection failed: %s",

			error("connect_to %.100s port %d: failed.",
			    c->connect_ctx.host, c->connect_ctx.port);
			channel_connect_ctx_free(&c->connect_ctx);
			if (c->flags & CHAN_RD_ACKD) {
				ackd = 1;
				c->flags &= ~CHAN_RD_ACKD;
				close(c->sock);
				c->sock = c->rfd = c->wfd = c->efd = -1;
				buffer_clear(&c->input);
				buffer_clear(&c->output);
				if (compat20)
					packet_start(SSH2_MSG_CHANNEL_CLOSE);
				else
					packet_start(SSH_MSG_CHANNEL_CLOSE);
				packet_put_int(c->remote_id);
				packet_send();
				c->flags |= CHAN_CLOSE_SENT;
				c->type = SSH_CHANNEL_ABANDONED;
					packet_put_cstring("");
				}
			} else {
				if (compat20) {
					packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
					packet_put_int(c->remote_id);
					packet_put_int(SSH2_OPEN_CONNECT_FAILED);
					if (!(datafellows & SSH_BUG_OPENFAILURE)) {
						packet_put_cstring(strerror(err));
						packet_put_cstring("");
					}
				} else {
					packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
					packet_put_int(c->remote_id);
				}
			}
			if (!ackd)
				chan_mark_dead(c);
		}

		if (!ackd)
			packet_send();
	}
}

static void
channel_post_rdynamic(Channel *c, fd_set *readset, fd_set *writeset)
{
	if (c->sock != -1) {
		FD_SET(c->sock, readset);
		FD_SET(c->sock, writeset);
	}
}


	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
	channel_pre[SSH_CHANNEL_RDYNAMIC] =			&channel_pre_dynamic;
	channel_pre[SSH_CHANNEL_MUX_LISTENER] =		&channel_pre_listener;
	channel_pre[SSH_CHANNEL_MUX_CLIENT] =		&channel_pre_mux_client;


	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
	channel_post[SSH_CHANNEL_RDYNAMIC] =		&channel_post_rdynamic;
	channel_post[SSH_CHANNEL_MUX_LISTENER] =	&channel_post_mux_listener;
	channel_post[SSH_CHANNEL_MUX_CLIENT] =		&channel_post_mux_client;
}

	channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_pre_output_draining;
	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
	channel_pre[SSH_CHANNEL_RDYNAMIC] =			&channel_pre_dynamic;

	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;

	channel_post[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_post_output_drain_13;
	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
	channel_post[SSH_CHANNEL_RDYNAMIC] =		&channel_post_rdynamic;
}

static void

	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
	channel_pre[SSH_CHANNEL_RDYNAMIC] =			&channel_pre_dynamic;

	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;

	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
	channel_post[SSH_CHANNEL_RDYNAMIC] =		&channel_post_rdynamic;
}

static void

		 */
		if (compat13) {
			if (c->type != SSH_CHANNEL_OPEN &&
			    c->type != SSH_CHANNEL_INPUT_DRAINING &&
				c->type != SSH_CHANNEL_RDYNAMIC)
				continue;
		} else {
			if (c->type != SSH_CHANNEL_OPEN &&
				c->type != SSH_CHANNEL_RDYNAMIC)
				continue;
		}
		if (compat20 &&


	/* Ignore any data for non-open channels (might happen on close) */
	if (c->type != SSH_CHANNEL_OPEN &&
	    c->type != SSH_CHANNEL_X11_OPEN &&
		c->type != SSH_CHANNEL_RDYNAMIC)
		return 0;

	/* Get the data. */

		return 0;
	if (allowed_open->listen_port != requestedport)
		return 0;
	if (allowed_open->port_to_connect == 0 &&
		strcmp("socks", allowed_open->host_to_connect)==0 &&
		allowed_open->listen_port == requestedport)
		return 1;
	if (!translate && allowed_open->listen_host == NULL &&
	    requestedhost == NULL)
		return 1;


	memset(&cctx, 0, sizeof(cctx));

	if (port == 0) {
		sock = socket(AF_INET, SOCK_STREAM, 0);
		c = channel_new(ctype, SSH_CHANNEL_RDYNAMIC, sock, sock, -1,
		CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
		return c;
	} else if (port == PORT_STREAMLOCAL) {
		struct sockaddr_un *sunaddr;
		struct addrinfo *ai;


Lines 58-64 Link Here

(-)a/channels.h (-1 / +3 lines)
58	#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */	58	#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
59	#define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */	59	#define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */
60	#define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */	60	#define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */
61	#define SSH_CHANNEL_MAX_TYPE 20	61	#define SSH_CHANNEL_RDYNAMIC 20
		62	#define SSH_CHANNEL_MAX_TYPE 21
62		63
63	#define CHANNEL_CANCEL_PORT_STATIC -1	64	#define CHANNEL_CANCEL_PORT_STATIC -1
64		65
Lines 193-198 struct Channel { Link Here
193	#define CHAN_EOF_SENT 0x04	194	#define CHAN_EOF_SENT 0x04
194	#define CHAN_EOF_RCVD 0x08	195	#define CHAN_EOF_RCVD 0x08
195	#define CHAN_LOCAL 0x10	196	#define CHAN_LOCAL 0x10
		197	#define CHAN_RD_ACKD 0x20
196		198
197	#define CHAN_RBUF 16*1024	199	#define CHAN_RBUF 16*1024
198		200

Lines 873-879 process_cmdline(void) Link Here

(-)a/clientloop.c (-7 / +17 lines)
873	{	873	{
874	void (*handler)(int);	874	void (*handler)(int);
875	char s, cmd;	875	char s, cmd;
876	int ok, delete = 0, local = 0, remote = 0, dynamic = 0;	876	int ok, delete = 0, remote, dynamic;
877	struct Forward fwd;	877	struct Forward fwd;
878		878
879	memset(&fwd, 0, sizeof(fwd));	879	memset(&fwd, 0, sizeof(fwd));
Lines 898-909 process_cmdline(void) Link Here
898	"Request remote forward");	898	"Request remote forward");
899	logit(" -D[bind_address:]port "	899	logit(" -D[bind_address:]port "
900	"Request dynamic forward");	900	"Request dynamic forward");
		901	logit(" -d[bind_address:]port "
		902	"Request remote dynamic forward");
901	logit(" -KL[bind_address:]port "	903	logit(" -KL[bind_address:]port "
902	"Cancel local forward");	904	"Cancel local forward");
903	logit(" -KR[bind_address:]port "	905	logit(" -KR[bind_address:]port "
904	"Cancel remote forward");	906	"Cancel remote forward");
905	logit(" -KD[bind_address:]port "	907	logit(" -KD[bind_address:]port "
906	"Cancel dynamic forward");	908	"Cancel dynamic forward");
		909	logit(" -Kd[bind_address:]port "
		910	"Cancel remote dynamic forward");
907	if (!options.permit_local_command)	911	if (!options.permit_local_command)
908	goto out;	912	goto out;
909	logit(" !args "	913	logit(" !args "
Lines 921-933 process_cmdline(void) Link Here
921	delete = 1;	925	delete = 1;
922	s++;	926	s++;
923	}	927	}
924	if (*s == 'L')	928	if (*s == 'L') {
925	local = 1;	929	dynamic = 0;
926	else if (*s == 'R')	930	remote = 0;
		931	} else if (*s == 'R') {
		932	dynamic = 0;
927	remote = 1;	933	remote = 1;
928	else if (*s == 'D')	934	} else if (*s == 'D') {
929	dynamic = 1;	935	dynamic = 1;
930	else {	936	remote = 0;
		937	} else if (*s == 'd') {
		938	dynamic = 1;
		939	remote = 1;
		940	} else {
931	logit("Invalid command.");	941	logit("Invalid command.");
932	goto out;	942	goto out;
933	}	943	}
Lines 966-972 process_cmdline(void) Link Here
966	logit("Bad forwarding specification.");	976	logit("Bad forwarding specification.");
967	goto out;	977	goto out;
968	}	978	}
969	if (local \|\| dynamic) {	979	if (!remote) {
970	if (!channel_setup_local_fwd_listener(&fwd,	980	if (!channel_setup_local_fwd_listener(&fwd,
971	&options.fwd_opts)) {	981	&options.fwd_opts)) {
972	logit("Port forwarding failed.");	982	logit("Port forwarding failed.");




	argv0 = av[0];

 again:
	while ((opt = getopt(ac, av, "1246ab:c:d:e:fgi:kl:m:no:p:qstvx"
	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
		switch (opt) {
		case '1':

			}
			break;

		case 'd':
			if (parse_forward(&fwd, optarg, 1, 1)) {
				add_remote_forward(&options, &fwd);
			} else {
				fprintf(stderr,
				    "Bad remote dynamic forwarding specification "
				    "'%s'\n", optarg);
				exit(255);
			}
			break;

		case 'C':
			options.compression = 1;
			break;

Return to bug 2393

Lines 596-602 main(int ac, char **av) Link Here

(-)a/ssh.c (-1 / +12 lines)
596	argv0 = av[0];	596	argv0 = av[0];
597		597
598	again:	598	again:
599	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	599	while ((opt = getopt(ac, av, "1246ab:c:d:e:fgi:kl:m:no:p:qstvx"
600	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	600	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
601	switch (opt) {	601	switch (opt) {
602	case '1':	602	case '1':
Lines 876-881 main(int ac, char **av) Link Here
876	}	876	}
877	break;	877	break;
878		878
		879	case 'd':
		880	if (parse_forward(&fwd, optarg, 1, 1)) {
		881	add_remote_forward(&options, &fwd);
		882	} else {
		883	fprintf(stderr,
		884	"Bad remote dynamic forwarding specification "
		885	"'%s'\n", optarg);
		886	exit(255);
		887	}
		888	break;
		889
879	case 'C':	890	case 'C':
880	options.compression = 1;	891	options.compression = 1;
881	break;	892	break;