- dtucker@cvs.openbsd.org 2005/10/30 08:29:29

[canohost.c sshd.c] Check for connections with IP options earlier and drop silently. ok djm@
author: Damien Miller <djm@mindrot.org> 2005-11-05 15:13:24 +1100
committer: Damien Miller <djm@mindrot.org> 2005-11-05 15:13:24 +1100
commit: 4d3fd54c91dae68ea2642387196015931ee83200 (patch)
tree: 4d707d50bad03f27435fef1f38bad055de68a603
parent: aa3bb1094011e640488e9f2ebd718a79960b147d (diff)
3 files changed, 13 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 112f5728f..52660e2be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,9 @@
   - djm@cvs.openbsd.org 2005/10/30 04:03:24
     [ssh.c]
     fix misleading debug message; ok dtucker@
+   - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
+     [canohost.c sshd.c]
+     Check for connections with IP options earlier and drop silently.  ok djm@
 20051102
 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
@@ -3198,4 +3201,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3942 2005/11/05 04:12:59 djm Exp $
+$Id: ChangeLog,v 1.3943 2005/11/05 04:13:24 djm Exp $
diff --git a/canohost.c b/canohost.c
index 0c4d36ff6..66867c10b 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $");
 #include "packet.h"
 #include "xmalloc.h"
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
                for (i = 0; i < option_size; i++)
                        snprintf(text + i*3, sizeof(text) - i*3,
                            " %2.2x", options[i]);
-                logit("Connection from %.100s with IP options:%.800s",
+                fatal("Connection from %.100s with IP options:%.800s",
-                    ipaddr, text);
-                packet_disconnect("Connection from %.100s with IP options:%.800s",
                    ipaddr, text);
        }
 #endif /* IP_OPTIONS */
diff --git a/sshd.c b/sshd.c
index c4d66e2fc..4b5f89e2a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.315 2005/09/21 23:37:11 djm Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1651,7 +1651,12 @@ main(int ac, char **av)
                debug("get_remote_port failed");
                cleanup_exit(255);
        }
-        remote_ip = get_remote_ipaddr();
+        /*
+         * We use get_canonical_hostname with usedns = 0 instead of
+         * get_remote_ipaddr here so IP options will be checked.
+         */
+        remote_ip = get_canonical_hostname(0);
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
author	Damien Miller <djm@mindrot.org>	2005-11-05 15:13:24 +1100
committer	Damien Miller <djm@mindrot.org>	2005-11-05 15:13:24 +1100
commit	4d3fd54c91dae68ea2642387196015931ee83200 (patch)
tree	4d707d50bad03f27435fef1f38bad055de68a603
parent	aa3bb1094011e640488e9f2ebd718a79960b147d (diff)

diff --git a/ChangeLog b/ChangeLog index 112f5728f..52660e2be 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -65,6 +65,9 @@
65	- djm@cvs.openbsd.org 2005/10/30 04:03:24	65	- djm@cvs.openbsd.org 2005/10/30 04:03:24
66	[ssh.c]	66	[ssh.c]
67	fix misleading debug message; ok dtucker@	67	fix misleading debug message; ok dtucker@
		68	- dtucker@cvs.openbsd.org 2005/10/30 08:29:29
		69	[canohost.c sshd.c]
		70	Check for connections with IP options earlier and drop silently. ok djm@
68		71
69	20051102	72	20051102
70	- (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().	73	- (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
@@ -3198,4 +3201,4 @@
3198	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	3201	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
3199	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	3202	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3200		3203
3201	$Id: ChangeLog,v 1.3942 2005/11/05 04:12:59 djm Exp $	3204	$Id: ChangeLog,v 1.3943 2005/11/05 04:13:24 djm Exp $


diff --git a/canohost.c b/canohost.c index 0c4d36ff6..66867c10b 100644 --- a/canohost.c +++ b/canohost.c
@@ -12,7 +12,7 @@
12	*/	12	*/
13		13
14	#include "includes.h"	14	#include "includes.h"
15	RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $");	15	RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $");
16		16
17	#include "packet.h"	17	#include "packet.h"
18	#include "xmalloc.h"	18	#include "xmalloc.h"
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
158	for (i = 0; i < option_size; i++)	158	for (i = 0; i < option_size; i++)
159	snprintf(text + i3, sizeof(text) - i3,	159	snprintf(text + i3, sizeof(text) - i3,
160	" %2.2x", options[i]);	160	" %2.2x", options[i]);
161	logit("Connection from %.100s with IP options:%.800s",	161	fatal("Connection from %.100s with IP options:%.800s",
162	ipaddr, text);
163	packet_disconnect("Connection from %.100s with IP options:%.800s",
164	ipaddr, text);	162	ipaddr, text);
165	}	163	}
166	#endif /* IP_OPTIONS */	164	#endif /* IP_OPTIONS */


diff --git a/sshd.c b/sshd.c index c4d66e2fc..4b5f89e2a 100644 --- a/sshd.c +++ b/sshd.c
@@ -42,7 +42,7 @@
42	*/	42	*/
43		43
44	#include "includes.h"	44	#include "includes.h"
45	RCSID("$OpenBSD: sshd.c,v 1.315 2005/09/21 23:37:11 djm Exp $");	45	RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $");
46		46
47	#include <openssl/dh.h>	47	#include <openssl/dh.h>
48	#include <openssl/bn.h>	48	#include <openssl/bn.h>
@@ -1651,7 +1651,12 @@ main(int ac, char **av)
1651	debug("get_remote_port failed");	1651	debug("get_remote_port failed");
1652	cleanup_exit(255);	1652	cleanup_exit(255);
1653	}	1653	}
1654	remote_ip = get_remote_ipaddr();	1654
		1655	/*
		1656	* We use get_canonical_hostname with usedns = 0 instead of
		1657	* get_remote_ipaddr here so IP options will be checked.
		1658	*/
		1659	remote_ip = get_canonical_hostname(0);
1655		1660
1656	#ifdef SSH_AUDIT_EVENTS	1661	#ifdef SSH_AUDIT_EVENTS
1657	audit_connection_from(remote_ip, remote_port);	1662	audit_connection_from(remote_ip, remote_port);