From 4d3fd54c91dae68ea2642387196015931ee83200 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sat, 5 Nov 2005 15:13:24 +1100
Subject:    - dtucker@cvs.openbsd.org 2005/10/30 08:29:29      [canohost.c
 sshd.c]      Check for connections with IP options earlier and drop silently.
  ok djm@

---
 ChangeLog  | 5 ++++-
 canohost.c | 6 ++----
 sshd.c     | 9 +++++++--
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 112f5728f..52660e2be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,9 @@
    - djm@cvs.openbsd.org 2005/10/30 04:03:24
      [ssh.c]
      fix misleading debug message; ok dtucker@
+   - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
+     [canohost.c sshd.c]
+     Check for connections with IP options earlier and drop silently.  ok djm@
 
 20051102
  - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
@@ -3198,4 +3201,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3942 2005/11/05 04:12:59 djm Exp $
+$Id: ChangeLog,v 1.3943 2005/11/05 04:13:24 djm Exp $
diff --git a/canohost.c b/canohost.c
index 0c4d36ff6..66867c10b 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
 		for (i = 0; i < option_size; i++)
 			snprintf(text + i*3, sizeof(text) - i*3,
 			    " %2.2x", options[i]);
-		logit("Connection from %.100s with IP options:%.800s",
-		    ipaddr, text);
-		packet_disconnect("Connection from %.100s with IP options:%.800s",
+		fatal("Connection from %.100s with IP options:%.800s",
 		    ipaddr, text);
 	}
 #endif /* IP_OPTIONS */
diff --git a/sshd.c b/sshd.c
index c4d66e2fc..4b5f89e2a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.315 2005/09/21 23:37:11 djm Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1651,7 +1651,12 @@ main(int ac, char **av)
 		debug("get_remote_port failed");
 		cleanup_exit(255);
 	}
-	remote_ip = get_remote_ipaddr();
+
+	/*
+	 * We use get_canonical_hostname with usedns = 0 instead of
+	 * get_remote_ipaddr here so IP options will be checked.
+	 */
+	remote_ip = get_canonical_hostname(0);
 
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
-- 
cgit v1.2.3