openssh unix dev - Sep 2014 - Remote port forwarding in a multiplexed connection: possible "clientspecified" bug

> Now the following mux command (on client with ControlMaster connected
> and running and ControlPath set appropriately):
> 
>     $ ssh -O forward -R ':0:localhost:3502' <hostaddr>
> 
> Port ... (set with an empty bind_address) should be bind to wildcard
> address, not localhost. The same -R option given for ControlMaster (or non-
> multiplexed ssh client) works as expected.
(Answering to myself...)

The reason seems to be that the unset bind_address (i.e. NULL) is transformed
into an empty string in mux.c:mux_client_forward():

	buffer_put_cstring(&m,
	    fwd->listen_host == NULL ? "" : fwd->listen_host);

Separation between an unset and an empty bind_address is now lost; ControlMaster
in turn nullifies such an empty listen_addr, resulting in a localhost bind. This
happens
in mux.c:process_mux_open_fwd():

	if (*listen_addr == '\0') {
		free(listen_addr);
		listen_addr = NULL;
	}

I guess this is done because the Buffer (i.e. the underlying sshbuf) does not
differentiate
NULL string from an empty one. And NULL is assumed/preferred here because
it's safer.

--
Sami

...and the fix could be something like the patch below:

---
 mux.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mux.c b/mux.c
index 48f7a05..f6ac30c 100644
--- a/mux.c
+++ b/mux.c
@@ -1689,7 +1689,8 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype,
struct Forward *fwd)
 		buffer_put_cstring(&m, fwd->listen_path);
 	} else {
 		buffer_put_cstring(&m,
-		    fwd->listen_host == NULL ? "" : fwd->listen_host);
+		    fwd->listen_host == NULL ? "" :
+		    *fwd->listen_host == '\0' ? "*" :
fwd->listen_host);
 	}
 	buffer_put_int(&m, fwd->listen_port);
 	if (fwd->connect_path != NULL) {
-- 
1.9.1