1 files changed, 187 insertions, 65 deletions
diff --git a/channels.c b/channels.c
index 24d4a9f42..f6e9b4d8c 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -125,6 +125,9 @@ static int num_permitted_opens = 0;
 /* Number of permitted host/port pair in the array permitted by the admin. */
 static int num_adm_permitted_opens = 0;
+/* special-case port number meaning allow any port */
+#define FWD_PERMIT_ANY_PORT     0
 /*
 * If this is true, all opens are permitted.  This is the case on the server
 * on which we have to trust the client anyway, and the user could do
@@ -302,6 +305,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
        buffer_init(&c->output);
        buffer_init(&c->extended);
        c->path = NULL;
+        c->listening_addr = NULL;
+        c->listening_port = 0;
        c->ostate = CHAN_OUTPUT_OPEN;
        c->istate = CHAN_INPUT_OPEN;
        c->flags = 0;
@@ -411,6 +416,10 @@ channel_free(Channel *c)
                xfree(c->path);
                c->path = NULL;
        }
+        if (c->listening_addr) {
+                xfree(c->listening_addr);
+                c->listening_addr = NULL;
+        }
        while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
                if (cc->abandon_cb != NULL)
                        cc->abandon_cb(c, cc->ctx);
@@ -2634,6 +2643,46 @@ channel_set_af(int af)
        IPv4or6 = af;
 }
+/*
+ * Determine whether or not a port forward listens to loopback, the
+ * specified address or wildcard. On the client, a specified bind
+ * address will always override gateway_ports. On the server, a
+ * gateway_ports of 1 (``yes'') will override the client's specification
+ * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
+ * will bind to whatever address the client asked for.
+ *
+ * Special-case listen_addrs are:
+ *
+ * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
+ * "" (empty string), "*"  -> wildcard v4/v6
+ * "localhost"             -> loopback v4/v6
+ */
+static const char *
+channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+    int is_client, int gateway_ports)
+{
+        const char *addr = NULL;
+        int wildcard = 0;
+        if (listen_addr == NULL) {
+                /* No address specified: default to gateway_ports setting */
+                if (gateway_ports)
+                        wildcard = 1;
+        } else if (gateway_ports || is_client) {
+                if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
+                    strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
+                    *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
+                    (!is_client && gateway_ports == 1))
+                        wildcard = 1;
+                else if (strcmp(listen_addr, "localhost") != 0)
+                        addr = listen_addr;
+        }
+        if (wildcardp != NULL)
+                *wildcardp = wildcard;
+        return addr;
+}
 static int
 channel_setup_fwd_listener(int type, const char *listen_addr,
    u_short listen_port, int *allocated_listen_port,
@@ -2659,36 +2708,9 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                return 0;
        }
-        /*
+        /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
-         * Determine whether or not a port forward listens to loopback,
+        addr = channel_fwd_bind_addr(listen_addr, &wildcard,
-         * specified address or wildcard. On the client, a specified bind
+            is_client, gateway_ports);
-         * address will always override gateway_ports. On the server, a
-         * gateway_ports of 1 (``yes'') will override the client's
-         * specification and force a wildcard bind, whereas a value of 2
-         * (``clientspecified'') will bind to whatever address the client
-         * asked for.
-         *
-         * Special-case listen_addrs are:
-         *
-         * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
-         * "" (empty string), "*"  -> wildcard v4/v6
-         * "localhost"             -> loopback v4/v6
-         */
-        addr = NULL;
-        if (listen_addr == NULL) {
-                /* No address specified: default to gateway_ports setting */
-                if (gateway_ports)
-                        wildcard = 1;
-        } else if (gateway_ports || is_client) {
-                if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
-                    strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
-                    *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
-                    (!is_client && gateway_ports == 1))
-                        wildcard = 1;
-                else if (strcmp(listen_addr, "localhost") != 0)
-                        addr = listen_addr;
-        }
        debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
            type, wildcard, (addr == NULL) ? "NULL" : addr);
@@ -2792,7 +2814,12 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                    0, "port listener", 1);
                c->path = xstrdup(host);
                c->host_port = port_to_connect;
-                c->listening_port = listen_port;
+                c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
+                if (listen_port == 0 && allocated_listen_port != NULL &&
+                    !(datafellows & SSH_BUG_DYNAMIC_RPORT))
+                        c->listening_port = *allocated_listen_port;
+                else
+                        c->listening_port = listen_port;
                success = 1;
        }
        if (success == 0)
@@ -2810,9 +2837,44 @@ channel_cancel_rport_listener(const char *host, u_short port)
        for (i = 0; i < channels_alloc; i++) {
                Channel *c = channels[i];
+                if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
+                        continue;
+                if (strcmp(c->path, host) == 0 && c->listening_port == port) {
+                        debug2("%s: close channel %d", __func__, i);
+                        channel_free(c);
+                        found = 1;
+                }
+        }
+        return (found);
+}
+int
+channel_cancel_lport_listener(const char *lhost, u_short lport,
+    int cport, int gateway_ports)
+{
+        u_int i;
+        int found = 0;
+        const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports);
-                if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
+        for (i = 0; i < channels_alloc; i++) {
-                    strcmp(c->path, host) == 0 && c->listening_port == port) {
+                Channel *c = channels[i];
+                if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
+                        continue;
+                if (c->listening_port != lport)
+                        continue;
+                if (cport == CHANNEL_CANCEL_PORT_STATIC) {
+                        /* skip dynamic forwardings */
+                        if (c->host_port == 0)
+                                continue;
+                } else {
+                        if (c->host_port != cport)
+                                continue;
+                }
+                if ((c->listening_addr == NULL && addr != NULL) ||
+                    (c->listening_addr != NULL && addr == NULL))
+                        continue;
+                if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
                        debug2("%s: close channel %d", __func__, i);
                        channel_free(c);
                        found = 1;
@@ -2843,37 +2905,44 @@ channel_setup_remote_fwd_listener(const char *listen_address,
 }
 /*
+ * Translate the requested rfwd listen host to something usable for
+ * this server.
+ */
+static const char *
+channel_rfwd_bind_host(const char *listen_host)
+{
+        if (listen_host == NULL) {
+                if (datafellows & SSH_BUG_RFWD_ADDR)
+                        return "127.0.0.1";
+                else
+                        return "localhost";
+        } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
+                if (datafellows & SSH_BUG_RFWD_ADDR)
+                        return "0.0.0.0";
+                else
+                        return "";
+        } else
+                return listen_host;
+}
+/*
 * Initiate forwarding of connections to port "port" on remote host through
 * the secure channel to host:port from local side.
+ * Returns handle (index) for updating the dynamic listen port with
+ * channel_update_permitted_opens().
 */
 int
 channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
    const char *host_to_connect, u_short port_to_connect)
 {
-        int type, success = 0;
+        int type, success = 0, idx = -1;
        /* Send the forward request to the remote side. */
        if (compat20) {
-                const char *address_to_bind;
-                if (listen_host == NULL) {
-                        if (datafellows & SSH_BUG_RFWD_ADDR)
-                                address_to_bind = "127.0.0.1";
-                        else
-                                address_to_bind = "localhost";
-                } else if (*listen_host == '\0' ||
-                           strcmp(listen_host, "*") == 0) {
-                        if (datafellows & SSH_BUG_RFWD_ADDR)
-                                address_to_bind = "0.0.0.0";
-                        else
-                                address_to_bind = "";
-                } else
-                        address_to_bind = listen_host;
                packet_start(SSH2_MSG_GLOBAL_REQUEST);
                packet_put_cstring("tcpip-forward");
-                packet_put_char(1);                     /* boolean: want reply */
+                packet_put_char(1);             /* boolean: want reply */
-                packet_put_cstring(address_to_bind);
+                packet_put_cstring(channel_rfwd_bind_host(listen_host));
                packet_put_int(listen_port);
                packet_send();
                packet_write_wait();
@@ -2905,25 +2974,25 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
                /* Record that connection to this host/port is permitted. */
                permitted_opens = xrealloc(permitted_opens,
                    num_permitted_opens + 1, sizeof(*permitted_opens));
-                permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
+                idx = num_permitted_opens++;
-                permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
+                permitted_opens[idx].host_to_connect = xstrdup(host_to_connect);
-                permitted_opens[num_permitted_opens].listen_port = listen_port;
+                permitted_opens[idx].port_to_connect = port_to_connect;
-                num_permitted_opens++;
+                permitted_opens[idx].listen_port = listen_port;
        }
-        return (success ? 0 : -1);
+        return (idx);
 }
 /*
 * Request cancellation of remote forwarding of connection host:port from
 * local side.
 */
-void
+int
 channel_request_rforward_cancel(const char *host, u_short port)
 {
        int i;
        if (!compat20)
-                return;
+                return -1;
        for (i = 0; i < num_permitted_opens; i++) {
                if (permitted_opens[i].host_to_connect != NULL &&
@@ -2932,12 +3001,12 @@ channel_request_rforward_cancel(const char *host, u_short port)
        }
        if (i >= num_permitted_opens) {
                debug("%s: requested forward not found", __func__);
-                return;
+                return -1;
        }
        packet_start(SSH2_MSG_GLOBAL_REQUEST);
        packet_put_cstring("cancel-tcpip-forward");
        packet_put_char(0);
-        packet_put_cstring(host == NULL ? "" : host);
+        packet_put_cstring(channel_rfwd_bind_host(host));
        packet_put_int(port);
        packet_send();
@@ -2945,6 +3014,8 @@ channel_request_rforward_cancel(const char *host, u_short port)
        permitted_opens[i].port_to_connect = 0;
        xfree(permitted_opens[i].host_to_connect);
        permitted_opens[i].host_to_connect = NULL;
+        return 0;
 }
 /*
@@ -3013,6 +3084,35 @@ channel_add_permitted_opens(char *host, int port)
        all_opens_permitted = 0;
 }
+/*
+ * Update the listen port for a dynamic remote forward, after
+ * the actual 'newport' has been allocated. If 'newport' < 0 is
+ * passed then they entry will be invalidated.
+ */
+void
+channel_update_permitted_opens(int idx, int newport)
+{
+        if (idx < 0 || idx >= num_permitted_opens) {
+                debug("channel_update_permitted_opens: index out of range:"
+                    " %d num_permitted_opens %d", idx, num_permitted_opens);
+                return;
+        }
+        debug("%s allowed port %d for forwarding to host %s port %d",
+            newport > 0 ? "Updating" : "Removing",
+            newport,
+            permitted_opens[idx].host_to_connect,
+            permitted_opens[idx].port_to_connect);
+        if (newport >= 0)  {
+                permitted_opens[idx].listen_port = 
+                    (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
+        } else {
+                permitted_opens[idx].listen_port = 0;
+                permitted_opens[idx].port_to_connect = 0;
+                xfree(permitted_opens[idx].host_to_connect);
+                permitted_opens[idx].host_to_connect = NULL;
+        }
+}
 int
 channel_add_adm_permitted_opens(char *host, int port)
 {
@@ -3073,6 +3173,28 @@ channel_print_adm_permitted_opens(void)
        printf("\n");
 }
+/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
+int
+permitopen_port(const char *p)
+{
+        int port;
+        if (strcmp(p, "*") == 0)
+                return FWD_PERMIT_ANY_PORT;
+        if ((port = a2port(p)) > 0)
+                return port;
+        return -1;
+}
+static int
+port_match(u_short allowedport, u_short requestedport)
+{
+        if (allowedport == FWD_PERMIT_ANY_PORT ||
+            allowedport == requestedport)
+                return 1;
+        return 0;
+}
 /* Try to start non-blocking connect to next host in cctx list */
 static int
 connect_next(struct channel_connect *cctx)
@@ -3175,7 +3297,7 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
        for (i = 0; i < num_permitted_opens; i++) {
                if (permitted_opens[i].host_to_connect != NULL &&
-                    permitted_opens[i].listen_port == listen_port) {
+                    port_match(permitted_opens[i].listen_port, listen_port)) {
                        return connect_to(
                            permitted_opens[i].host_to_connect,
                            permitted_opens[i].port_to_connect, ctype, rname);
@@ -3196,7 +3318,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
        if (!permit) {
                for (i = 0; i < num_permitted_opens; i++)
                        if (permitted_opens[i].host_to_connect != NULL &&
-                            permitted_opens[i].port_to_connect == port &&
+                            port_match(permitted_opens[i].port_to_connect, port) &&
                            strcmp(permitted_opens[i].host_to_connect, host) == 0)
                                permit = 1;
        }
@@ -3205,7 +3327,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
                permit_adm = 0;
                for (i = 0; i < num_adm_permitted_opens; i++)
                        if (permitted_adm_opens[i].host_to_connect != NULL &&
-                            permitted_adm_opens[i].port_to_connect == port &&
+                            port_match(permitted_adm_opens[i].port_to_connect, port) &&
                            strcmp(permitted_adm_opens[i].host_to_connect, host)
                            == 0)
                                permit_adm = 1;