1 files changed, 9 insertions, 3 deletions

diff --git a/channels.c b/channels.c
index ae248414b..fecd4540e 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.354 2016/09/30 09:19:13 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.355 2016/09/30 20:24:46 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2472,7 +2472,8 @@ channel_proxy_downstream(Channel *downstream)
         char *ctype = NULL, *listen_host = NULL;
         u_char type;
         size_t have;
-        int ret = -1, r, id, remote_id, listen_port, idx;
+        int ret = -1, r, idx;
+        u_int id, remote_id, listen_port;
 
         /* sshbuf_dump(&downstream->input, stderr); */
         if ((r = sshbuf_get_string_direct(&downstream->input, &cp, &have))
@@ -2563,6 +2564,11 @@ channel_proxy_downstream(Channel *downstream)
                         error("%s: parse error %s", __func__, ssh_err(r));
                         goto out;
                 }
+                if (listen_port > 65535) {
+                        error("%s: tcpip-forward for %s: bad port %u",
+                            __func__, listen_host, listen_port);
+                        goto out;
+                }
                 /* Record that connection to this host/port is permitted. */
                 permitted_opens = xreallocarray(permitted_opens,
                     num_permitted_opens + 1, sizeof(*permitted_opens));
@@ -2570,7 +2576,7 @@ channel_proxy_downstream(Channel *downstream)
                 permitted_opens[idx].host_to_connect = xstrdup("<mux>");
                 permitted_opens[idx].port_to_connect = -1;
                 permitted_opens[idx].listen_host = listen_host;
-                permitted_opens[idx].listen_port = listen_port;
+                permitted_opens[idx].listen_port = (int)listen_port;
                 permitted_opens[idx].downstream = downstream;
                 listen_host = NULL;
                 break;