Bugzilla – Attachment 3017 Details for
Bug 2735
Wrong address family handling for tun devices
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
re-re-revised diff
bz2735.diff (text/plain), 3.19 KB, created by
Damien Miller
on 2017-07-24 15:06:56 AEST
(
hide
)
Description:
re-re-revised diff
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-07-24 15:06:56 AEST
Size:
3.19 KB
patch
obsolete
>diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c >index a444adf1..40dd8b54 100644 >--- a/openbsd-compat/port-tun.c >+++ b/openbsd-compat/port-tun.c >@@ -199,49 +199,51 @@ sys_tun_open(int tun, int mode) > */ > > #if defined(SSH_TUN_FILTER) >+/* >+ * The tunnel forwarding protocol prepends the address family of forwarded >+ * IP packets using OpenBSD's numbers. >+ */ > #define OPENBSD_AF_INET 2 > #define OPENBSD_AF_INET6 24 > > int >-sys_tun_infilter(struct Channel *c, char *buf, int len) >+sys_tun_infilter(struct Channel *c, char *buf, int _len) > { >-#if defined(SSH_TUN_PREPEND_AF) >- char rbuf[CHAN_RBUF]; >- struct ip *iph; >-#endif >- u_int32_t *af; >+ int r; >+ size_t len; > char *ptr = buf; >- int r; >- > #if defined(SSH_TUN_PREPEND_AF) >- if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) >- return (-1); >- ptr = (char *)&rbuf[0]; >- bcopy(buf, ptr + sizeof(u_int32_t), len); >- len += sizeof(u_int32_t); >- af = (u_int32_t *)ptr; >- >- iph = (struct ip *)(ptr + sizeof(u_int32_t)); >- switch (iph->ip_v) { >- case 6: >- *af = AF_INET6; >- break; >- case 4: >- default: >- *af = AF_INET; >- break; >- } >+ char rbuf[CHAN_RBUF]; >+ struct ip iph; >+#endif >+#if defined(SSH_TUN_PREPEND_AF) || defined(SSH_TUN_COMPAT_AF) >+ u_int32_t af; > #endif > >-#if defined(SSH_TUN_COMPAT_AF) >- if (len < (int)sizeof(u_int32_t)) >- return (-1); >+ /* XXX update channel input filter API to use unsigned length */ >+ if (_len < 0) >+ return -1; >+ len = _len; > >- af = (u_int32_t *)ptr; >- if (*af == htonl(AF_INET6)) >- *af = htonl(OPENBSD_AF_INET6); >- else >- *af = htonl(OPENBSD_AF_INET); >+#if defined(SSH_TUN_PREPEND_AF) >+ if (len <= sizeof(iph) || len > sizeof(rbuf) - 4) >+ return -1; >+ /* Determine address family from packet IP header. */ >+ memcpy(&iph, buf, sizeof(iph)); >+ af = iph.ip_v == 6 ? OPENBSD_AF_INET6 : OPENBSD_AF_INET; >+ /* Prepend address family to packet using OpenBSD constants */ >+ memcpy(rbuf + 4, buf, len); >+ len += 4; >+ POKE_U32(rbuf, htonl(af)); >+ ptr = rbuf; >+#elif defined(SSH_TUN_COMPAT_AF) >+ /* Convert existing address family header to OpenBSD value */ >+ if (len <= 4) >+ return -1; >+ af = ntohl(PEEK_U32(buf)); >+ /* Put it back */ >+ POKE_U32(buf, htonl(af == AF_INET6 ? >+ OPENBSD_AF_INET6 : OPENBSD_AF_INET)); > #endif > > if ((r = sshbuf_put_string(&c->input, ptr, len)) != 0) >@@ -253,7 +255,7 @@ u_char * > sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen) > { > u_char *buf; >- u_int32_t *af; >+ u_int32_t af; > int r; > size_t xxx_dlen; > >@@ -262,21 +264,19 @@ sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen) > fatal("%s: buffer error: %s", __func__, ssh_err(r)); > if (dlen != NULL) > *dlen = xxx_dlen; >- if (*dlen < sizeof(*af)) >+ if (*dlen < sizeof(af)) > return (NULL); > buf = *data; > > #if defined(SSH_TUN_PREPEND_AF) >- *dlen -= sizeof(u_int32_t); >- buf = *data + sizeof(u_int32_t); >+ /* skip address family */ >+ *dlen -= sizeof(af); >+ buf = *data + sizeof(af); > #elif defined(SSH_TUN_COMPAT_AF) >- af = ntohl(*(u_int32_t *)buf); >- if (*af == OPENBSD_AF_INET6) >- *af = htonl(AF_INET6); >- else >- *af = htonl(AF_INET); >+ /* translate address family */ >+ af = (ntohl(PEEK_U32(buf)) == OPENBSD_AF_INET6) ? AF_INET6 : AF_INET; >+ POKE_U32(buf, htonl(af)); > #endif >- > return (buf); > } > #endif /* SSH_TUN_FILTER */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3017">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2735
:
3005
|
3006
|
3011
|
3016
|
3017
|
3019
|
3020