upstream commit

Return true reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674, ok djm@ Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
author: dtucker@openbsd.org <dtucker@openbsd.org> 2017-02-01 02:59:09 +0000
committer: Darren Tucker <dtucker@zip.com.au> 2017-02-03 14:23:24 +1100
commit: 858252fb1d451ebb0969cf9749116c8f0ee42753 (patch)
tree: 86168774d4d73763e0114ec62d7abeb29fbfba12 /serverloop.c
parent: 6ba9f893838489add6ec4213c7a997b425e4a9e0 (diff)
1 files changed, 10 insertions, 7 deletions
diff --git a/serverloop.c b/serverloop.c
index bdb944fa3..2976f5594 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.190 2017/01/04 05:37:40 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.191 2017/02/01 02:59:09 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -430,7 +430,7 @@ server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
 }
 static Channel *
-server_request_direct_tcpip(void)
+server_request_direct_tcpip(int *reason, const char **errmsg)
 {
        Channel *c = NULL;
        char *target, *originator;
@@ -449,11 +449,13 @@ server_request_direct_tcpip(void)
        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
            !no_port_forwarding_flag && !options.disable_forwarding) {
                c = channel_connect_to_port(target, target_port,
-                    "direct-tcpip", "direct-tcpip");
+                    "direct-tcpip", "direct-tcpip", reason, errmsg);
        } else {
                logit("refused local port forward: "
                    "originator %s port %d, target %s port %d",
                    originator, originator_port, target, target_port);
+                if (reason != NULL)
+                        *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
        }
        free(originator);
@@ -581,7 +583,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
 {
        Channel *c = NULL;
        char *ctype;
-        int rchan;
+        const char *errmsg = NULL;
+        int rchan, reason = SSH2_OPEN_CONNECT_FAILED;
        u_int rmaxpack, rwindow, len;
        ctype = packet_get_string(&len);
@@ -595,7 +598,7 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
        if (strcmp(ctype, "session") == 0) {
                c = server_request_session();
        } else if (strcmp(ctype, "direct-tcpip") == 0) {
-                c = server_request_direct_tcpip();
+                c = server_request_direct_tcpip(&reason, &errmsg);
        } else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {
                c = server_request_direct_streamlocal();
        } else if (strcmp(ctype, "tun@openssh.com") == 0) {
@@ -618,9 +621,9 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
                debug("server_input_channel_open: failure %s", ctype);
                packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
                packet_put_int(rchan);
-                packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+                packet_put_int(reason);
                if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-                        packet_put_cstring("open failed");
+                        packet_put_cstring(errmsg ? errmsg : "open failed");
                        packet_put_cstring("");
                }
                packet_send();
author	dtucker@openbsd.org <dtucker@openbsd.org>	2017-02-01 02:59:09 +0000
committer	Darren Tucker <dtucker@zip.com.au>	2017-02-03 14:23:24 +1100
commit	858252fb1d451ebb0969cf9749116c8f0ee42753 (patch)
tree	86168774d4d73763e0114ec62d7abeb29fbfba12 /serverloop.c
parent	6ba9f893838489add6ec4213c7a997b425e4a9e0 (diff)