1 files changed, 61 insertions, 47 deletions
diff --git a/channels.c b/channels.c
index 3f6db60c6..8c7b2b369 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -111,6 +111,9 @@ static int all_opens_permitted = 0;
 /* Maximum number of fake X11 displays to try. */
 #define MAX_DISPLAYS  1000
+/* Saved X11 local (client) display. */
+static char *x11_saved_display = NULL;
 /* Saved X11 authentication protocol name. */
 static char *x11_saved_proto = NULL;
@@ -727,8 +730,8 @@ channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset)
                        FD_SET(c->wfd, writeset);
                } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
                        if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
-                               debug2("channel %d: obuf_empty delayed efd %d/(%d)",
+                                debug2("channel %d: obuf_empty delayed efd %d/(%d)",
-                                   c->self, c->efd, buffer_len(&c->extended));
+                                    c->self, c->efd, buffer_len(&c->extended));
                        else
                                chan_obuf_empty(c);
                }
@@ -894,7 +897,7 @@ static int
 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
 {
        char *p, *host;
-        int len, have, i, found;
+        u_int len, have, i, found;
        char username[256];
        struct {
                u_int8_t version;
@@ -979,7 +982,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
        } s5_req, s5_rsp;
        u_int16_t dest_port;
        u_char *p, dest_addr[255+1];
-        int i, have, found, nmethods, addrlen, af;
+        u_int have, i, found, nmethods, addrlen, af;
        debug2("channel %d: decode socks5", c->self);
        p = buffer_ptr(&c->input);
@@ -1075,7 +1078,8 @@ static void
 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
 {
        u_char *p;
-        int have, ret;
+        u_int have;
+        int ret;
        have = buffer_len(&c->input);
        c->delayed = 0;
@@ -1178,7 +1182,7 @@ port_open_helper(Channel *c, char *rtype)
        int direct;
        char buf[1024];
        char *remote_ipaddr = get_peer_ipaddr(c->sock);
-        u_short remote_port = get_peer_port(c->sock);
+        int remote_port = get_peer_port(c->sock);
        direct = (strcmp(rtype, "direct-tcpip") == 0);
@@ -1208,7 +1212,7 @@ port_open_helper(Channel *c, char *rtype)
                }
                /* originator host and port */
                packet_put_cstring(remote_ipaddr);
-                packet_put_int(remote_port);
+                packet_put_int((u_int)remote_port);
                packet_send();
        } else {
                packet_start(SSH_MSG_PORT_OPEN);
@@ -1809,8 +1813,8 @@ channel_output_poll(void)
                         * hack for extended data: delay EOF if EFD still in use.
                         */
                        if (CHANNEL_EFD_INPUT_ACTIVE(c))
-                               debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
+                                debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
-                                   c->self, c->efd, buffer_len(&c->extended));
+                                    c->self, c->efd, buffer_len(&c->extended));
                        else
                                chan_ibuf_empty(c);
                }
@@ -2195,11 +2199,11 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
        if (host == NULL) {
                error("No forward host name.");
-                return success;
+                return 0;
        }
        if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
                error("Forward host name too long.");
-                return success;
+                return 0;
        }
        /*
@@ -2250,12 +2254,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
                        packet_disconnect("getaddrinfo: fatal error: %s",
                            gai_strerror(r));
                } else {
-                        verbose("channel_setup_fwd_listener: "
+                        error("channel_setup_fwd_listener: "
-                            "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
-                        packet_send_debug("channel_setup_fwd_listener: "
                            "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
                }
-                aitop = NULL;
+                return 0;
        }
        for (ai = aitop; ai; ai = ai->ai_next) {
@@ -2657,7 +2659,7 @@ channel_send_window_changes(void)
 */
 int
 x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
-    int single_connection, u_int *display_numberp)
+    int single_connection, u_int *display_numberp, int **chanids)
 {
        Channel *nc = NULL;
        int display_number, sock;
@@ -2747,6 +2749,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
        }
        /* Allocate a channel for each socket. */
+        if (chanids != NULL)
+                *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
        for (n = 0; n < num_socks; n++) {
                sock = socks[n];
                nc = channel_new("x11 listener",
@@ -2754,7 +2758,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
                    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
                    0, "X11 inet listener", 1);
                nc->single_connection = single_connection;
+                if (*chanids != NULL)
+                        (*chanids)[n] = nc->self;
        }
+        if (*chanids != NULL)
+                (*chanids)[n] = -1;
        /* Return the display number for the DISPLAY environment variable. */
        *display_numberp = display_number;
@@ -2952,19 +2960,27 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
 * This should be called in the client only.
 */
 void
-x11_request_forwarding_with_spoofing(int client_session_id,
+x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
    const char *proto, const char *data)
 {
        u_int data_len = (u_int) strlen(data) / 2;
-        u_int i, value, len;
+        u_int i, value;
        char *new_data;
        int screen_number;
        const char *cp;
        u_int32_t rnd = 0;
-        cp = getenv("DISPLAY");
+        if (x11_saved_display == NULL)
-        if (cp)
+                x11_saved_display = xstrdup(disp);
-                cp = strchr(cp, ':');
+        else if (strcmp(disp, x11_saved_display) != 0) {
+                error("x11_request_forwarding_with_spoofing: different "
+                    "$DISPLAY already forwarded");
+                return;
+        }
+        cp = disp;
+        if (disp)
+                cp = strchr(disp, ':');
        if (cp)
                cp = strchr(cp, '.');
        if (cp)
@@ -2972,33 +2988,31 @@ x11_request_forwarding_with_spoofing(int client_session_id,
        else
                screen_number = 0;
-        /* Save protocol name. */
+        if (x11_saved_proto == NULL) {
-        x11_saved_proto = xstrdup(proto);
+                /* Save protocol name. */
+                x11_saved_proto = xstrdup(proto);
-        /*
+                /*
-         * Extract real authentication data and generate fake data of the
+                 * Extract real authentication data and generate fake data
-         * same length.
+                 * of the same length.
-         */
+                 */
-        x11_saved_data = xmalloc(data_len);
+                x11_saved_data = xmalloc(data_len);
-        x11_fake_data = xmalloc(data_len);
+                x11_fake_data = xmalloc(data_len);
-        for (i = 0; i < data_len; i++) {
+                for (i = 0; i < data_len; i++) {
-                if (sscanf(data + 2 * i, "%2x", &value) != 1)
+                        if (sscanf(data + 2 * i, "%2x", &value) != 1)
-                        fatal("x11_request_forwarding: bad authentication data: %.100s", data);
+                                fatal("x11_request_forwarding: bad "
-                if (i % 4 == 0)
+                                    "authentication data: %.100s", data);
-                        rnd = arc4random();
+                        if (i % 4 == 0)
-                x11_saved_data[i] = value;
+                                rnd = arc4random();
-                x11_fake_data[i] = rnd & 0xff;
+                        x11_saved_data[i] = value;
-                rnd >>= 8;
+                        x11_fake_data[i] = rnd & 0xff;
-        }
+                        rnd >>= 8;
-        x11_saved_data_len = data_len;
+                }
-        x11_fake_data_len = data_len;
+                x11_saved_data_len = data_len;
+                x11_fake_data_len = data_len;
+        }
        /* Convert the fake data into hex. */
-        len = 2 * data_len + 1;
+        new_data = tohex(x11_fake_data, data_len);
-        new_data = xmalloc(len);
-        for (i = 0; i < data_len; i++)
-                snprintf(new_data + 2 * i, len - 2 * i,
-                    "%02x", (u_char) x11_fake_data[i]);
        /* Send the request packet. */
        if (compat20) {

diff --git a/channels.c b/channels.c index 3f6db60c6..8c7b2b369 100644 --- a/channels.c +++ b/channels.c
@@ -39,7 +39,7 @@
39	*/	39	*/
40		40
41	#include "includes.h"	41	#include "includes.h"
42	RCSID("$OpenBSD: channels.c,v 1.214 2005/03/14 11:46:56 markus Exp $");	42	RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $");
43		43
44	#include "ssh.h"	44	#include "ssh.h"
45	#include "ssh1.h"	45	#include "ssh1.h"
@@ -111,6 +111,9 @@ static int all_opens_permitted = 0;
111	/* Maximum number of fake X11 displays to try. */	111	/* Maximum number of fake X11 displays to try. */
112	#define MAX_DISPLAYS 1000	112	#define MAX_DISPLAYS 1000
113		113
		114	/* Saved X11 local (client) display. */
		115	static char *x11_saved_display = NULL;
		116
114	/* Saved X11 authentication protocol name. */	117	/* Saved X11 authentication protocol name. */
115	static char *x11_saved_proto = NULL;	118	static char *x11_saved_proto = NULL;
116		119
@@ -727,8 +730,8 @@ channel_pre_open(Channel c, fd_set readset, fd_set * writeset)
727	FD_SET(c->wfd, writeset);	730	FD_SET(c->wfd, writeset);
728	} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {	731	} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
729	if (CHANNEL_EFD_OUTPUT_ACTIVE(c))	732	if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
730	debug2("channel %d: obuf_empty delayed efd %d/(%d)",	733	debug2("channel %d: obuf_empty delayed efd %d/(%d)",
731	c->self, c->efd, buffer_len(&c->extended));	734	c->self, c->efd, buffer_len(&c->extended));
732	else	735	else
733	chan_obuf_empty(c);	736	chan_obuf_empty(c);
734	}	737	}
@@ -894,7 +897,7 @@ static int
894	channel_decode_socks4(Channel c, fd_set readset, fd_set * writeset)	897	channel_decode_socks4(Channel c, fd_set readset, fd_set * writeset)
895	{	898	{
896	char p, host;	899	char p, host;
897	int len, have, i, found;	900	u_int len, have, i, found;
898	char username[256];	901	char username[256];
899	struct {	902	struct {
900	u_int8_t version;	903	u_int8_t version;
@@ -979,7 +982,7 @@ channel_decode_socks5(Channel c, fd_set readset, fd_set * writeset)
979	} s5_req, s5_rsp;	982	} s5_req, s5_rsp;
980	u_int16_t dest_port;	983	u_int16_t dest_port;
981	u_char *p, dest_addr[255+1];	984	u_char *p, dest_addr[255+1];
982	int i, have, found, nmethods, addrlen, af;	985	u_int have, i, found, nmethods, addrlen, af;
983		986
984	debug2("channel %d: decode socks5", c->self);	987	debug2("channel %d: decode socks5", c->self);
985	p = buffer_ptr(&c->input);	988	p = buffer_ptr(&c->input);
@@ -1075,7 +1078,8 @@ static void
1075	channel_pre_dynamic(Channel c, fd_set readset, fd_set * writeset)	1078	channel_pre_dynamic(Channel c, fd_set readset, fd_set * writeset)
1076	{	1079	{
1077	u_char *p;	1080	u_char *p;
1078	int have, ret;	1081	u_int have;
		1082	int ret;
1079		1083
1080	have = buffer_len(&c->input);	1084	have = buffer_len(&c->input);
1081	c->delayed = 0;	1085	c->delayed = 0;
@@ -1178,7 +1182,7 @@ port_open_helper(Channel c, char rtype)
1178	int direct;	1182	int direct;
1179	char buf[1024];	1183	char buf[1024];
1180	char *remote_ipaddr = get_peer_ipaddr(c->sock);	1184	char *remote_ipaddr = get_peer_ipaddr(c->sock);
1181	u_short remote_port = get_peer_port(c->sock);	1185	int remote_port = get_peer_port(c->sock);
1182		1186
1183	direct = (strcmp(rtype, "direct-tcpip") == 0);	1187	direct = (strcmp(rtype, "direct-tcpip") == 0);
1184		1188
@@ -1208,7 +1212,7 @@ port_open_helper(Channel c, char rtype)
1208	}	1212	}
1209	/* originator host and port */	1213	/* originator host and port */
1210	packet_put_cstring(remote_ipaddr);	1214	packet_put_cstring(remote_ipaddr);
1211	packet_put_int(remote_port);	1215	packet_put_int((u_int)remote_port);
1212	packet_send();	1216	packet_send();
1213	} else {	1217	} else {
1214	packet_start(SSH_MSG_PORT_OPEN);	1218	packet_start(SSH_MSG_PORT_OPEN);
@@ -1809,8 +1813,8 @@ channel_output_poll(void)
1809	* hack for extended data: delay EOF if EFD still in use.	1813	* hack for extended data: delay EOF if EFD still in use.
1810	*/	1814	*/
1811	if (CHANNEL_EFD_INPUT_ACTIVE(c))	1815	if (CHANNEL_EFD_INPUT_ACTIVE(c))
1812	debug2("channel %d: ibuf_empty delayed efd %d/(%d)",	1816	debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
1813	c->self, c->efd, buffer_len(&c->extended));	1817	c->self, c->efd, buffer_len(&c->extended));
1814	else	1818	else
1815	chan_ibuf_empty(c);	1819	chan_ibuf_empty(c);
1816	}	1820	}
@@ -2195,11 +2199,11 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2195		2199
2196	if (host == NULL) {	2200	if (host == NULL) {
2197	error("No forward host name.");	2201	error("No forward host name.");
2198	return success;	2202	return 0;
2199	}	2203	}
2200	if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {	2204	if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
2201	error("Forward host name too long.");	2205	error("Forward host name too long.");
2202	return success;	2206	return 0;
2203	}	2207	}
2204		2208
2205	/*	2209	/*
@@ -2250,12 +2254,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
2250	packet_disconnect("getaddrinfo: fatal error: %s",	2254	packet_disconnect("getaddrinfo: fatal error: %s",
2251	gai_strerror(r));	2255	gai_strerror(r));
2252	} else {	2256	} else {
2253	verbose("channel_setup_fwd_listener: "	2257	error("channel_setup_fwd_listener: "
2254	"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
2255	packet_send_debug("channel_setup_fwd_listener: "
2256	"getaddrinfo(%.64s): %s", addr, gai_strerror(r));	2258	"getaddrinfo(%.64s): %s", addr, gai_strerror(r));
2257	}	2259	}
2258	aitop = NULL;	2260	return 0;
2259	}	2261	}
2260		2262
2261	for (ai = aitop; ai; ai = ai->ai_next) {	2263	for (ai = aitop; ai; ai = ai->ai_next) {
@@ -2657,7 +2659,7 @@ channel_send_window_changes(void)
2657	*/	2659	*/
2658	int	2660	int
2659	x11_create_display_inet(int x11_display_offset, int x11_use_localhost,	2661	x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2660	int single_connection, u_int *display_numberp)	2662	int single_connection, u_int display_numberp, int *chanids)
2661	{	2663	{
2662	Channel *nc = NULL;	2664	Channel *nc = NULL;
2663	int display_number, sock;	2665	int display_number, sock;
@@ -2747,6 +2749,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2747	}	2749	}
2748		2750
2749	/* Allocate a channel for each socket. */	2751	/* Allocate a channel for each socket. */
		2752	if (chanids != NULL)
		2753	chanids = xmalloc(sizeof(chanids) (num_socks + 1));
2750	for (n = 0; n < num_socks; n++) {	2754	for (n = 0; n < num_socks; n++) {
2751	sock = socks[n];	2755	sock = socks[n];
2752	nc = channel_new("x11 listener",	2756	nc = channel_new("x11 listener",
@@ -2754,7 +2758,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2754	CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,	2758	CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2755	0, "X11 inet listener", 1);	2759	0, "X11 inet listener", 1);
2756	nc->single_connection = single_connection;	2760	nc->single_connection = single_connection;
		2761	if (*chanids != NULL)
		2762	(*chanids)[n] = nc->self;
2757	}	2763	}
		2764	if (*chanids != NULL)
		2765	(*chanids)[n] = -1;
2758		2766
2759	/* Return the display number for the DISPLAY environment variable. */	2767	/* Return the display number for the DISPLAY environment variable. */
2760	*display_numberp = display_number;	2768	*display_numberp = display_number;
@@ -2952,19 +2960,27 @@ deny_input_open(int type, u_int32_t seq, void *ctxt)
2952	* This should be called in the client only.	2960	* This should be called in the client only.
2953	*/	2961	*/
2954	void	2962	void
2955	x11_request_forwarding_with_spoofing(int client_session_id,	2963	x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
2956	const char proto, const char data)	2964	const char proto, const char data)
2957	{	2965	{
2958	u_int data_len = (u_int) strlen(data) / 2;	2966	u_int data_len = (u_int) strlen(data) / 2;
2959	u_int i, value, len;	2967	u_int i, value;
2960	char *new_data;	2968	char *new_data;
2961	int screen_number;	2969	int screen_number;
2962	const char *cp;	2970	const char *cp;
2963	u_int32_t rnd = 0;	2971	u_int32_t rnd = 0;
2964		2972
2965	cp = getenv("DISPLAY");	2973	if (x11_saved_display == NULL)
2966	if (cp)	2974	x11_saved_display = xstrdup(disp);
2967	cp = strchr(cp, ':');	2975	else if (strcmp(disp, x11_saved_display) != 0) {
		2976	error("x11_request_forwarding_with_spoofing: different "
		2977	"$DISPLAY already forwarded");
		2978	return;
		2979	}
		2980
		2981	cp = disp;
		2982	if (disp)
		2983	cp = strchr(disp, ':');
2968	if (cp)	2984	if (cp)
2969	cp = strchr(cp, '.');	2985	cp = strchr(cp, '.');
2970	if (cp)	2986	if (cp)
@@ -2972,33 +2988,31 @@ x11_request_forwarding_with_spoofing(int client_session_id,
2972	else	2988	else
2973	screen_number = 0;	2989	screen_number = 0;
2974		2990
2975	/* Save protocol name. */	2991	if (x11_saved_proto == NULL) {
2976	x11_saved_proto = xstrdup(proto);	2992	/* Save protocol name. */
2977		2993	x11_saved_proto = xstrdup(proto);
2978	/*	2994	/*
2979	* Extract real authentication data and generate fake data of the	2995	* Extract real authentication data and generate fake data
2980	* same length.	2996	* of the same length.
2981	*/	2997	*/
2982	x11_saved_data = xmalloc(data_len);	2998	x11_saved_data = xmalloc(data_len);
2983	x11_fake_data = xmalloc(data_len);	2999	x11_fake_data = xmalloc(data_len);
2984	for (i = 0; i < data_len; i++) {	3000	for (i = 0; i < data_len; i++) {
2985	if (sscanf(data + 2 * i, "%2x", &value) != 1)	3001	if (sscanf(data + 2 * i, "%2x", &value) != 1)
2986	fatal("x11_request_forwarding: bad authentication data: %.100s", data);	3002	fatal("x11_request_forwarding: bad "
2987	if (i % 4 == 0)	3003	"authentication data: %.100s", data);
2988	rnd = arc4random();	3004	if (i % 4 == 0)
2989	x11_saved_data[i] = value;	3005	rnd = arc4random();
2990	x11_fake_data[i] = rnd & 0xff;	3006	x11_saved_data[i] = value;
2991	rnd >>= 8;	3007	x11_fake_data[i] = rnd & 0xff;
2992	}	3008	rnd >>= 8;
2993	x11_saved_data_len = data_len;	3009	}
2994	x11_fake_data_len = data_len;	3010	x11_saved_data_len = data_len;
		3011	x11_fake_data_len = data_len;
		3012	}
2995		3013
2996	/* Convert the fake data into hex. */	3014	/* Convert the fake data into hex. */
2997	len = 2 * data_len + 1;	3015	new_data = tohex(x11_fake_data, data_len);
2998	new_data = xmalloc(len);
2999	for (i = 0; i < data_len; i++)
3000	snprintf(new_data + 2 * i, len - 2 * i,
3001	"%02x", (u_char) x11_fake_data[i]);
3002		3016
3003	/* Send the request packet. */	3017	/* Send the request packet. */
3004	if (compat20) {	3018	if (compat20) {