When a forwarding specification ending in a slash ('\\') is used, the function "parse_fwd_field" jumps over the '\0' char marking the end of the string and keeps processing. This patch checks for that condition. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-buffer-overrun.patch Type: application/text Size: 850 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150625/b3ac0f28/attachment.bin>
On 06/25/2015 12:28 PM, Salvador Fandino wrote:> When a forwarding specification ending in a slash ('\\') is used, > the function "parse_fwd_field" jumps over the '\0' char marking > the end of the string and keeps processing. > > This patch checks for that condition. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >Wait, this is still broken! For instance, ssh -R/tmp/foo\\1\\2:localhost:11111 localhost ... parses as /tmp/foo1\2 A new patch is coming soon.
And now the proper fix (hopefully)! -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-buffer-overrun.patch Type: application/text Size: 943 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150625/c300be41/attachment.bin>
On Thu, 25 Jun 2015, Salvador Fandino wrote:> And now the proper fix (hopefully)!Good catch, I think it should return failure in this case though. An escape at the end of the line is bad syntax. diff --git a/readconf.c b/readconf.c index 0d41d78..06d600c 100644 --- a/readconf.c +++ b/readconf.c @@ -1913,7 +1913,8 @@ parse_fwd_field(char **p, struct fwdarg *fwd) switch (*cp) { case '\\': memmove(cp, cp + 1, strlen(cp + 1) + 1); - cp++; + if (*cp == '\0') + return -1; break; case '/': ispath = 1;