search for: packet_get_int

http://bugzilla.mindrot.org/show_bug.cgi?id=1125 Summary: packet_get_int() returns -1 (serverloop.c) Product: Portable OpenSSH Version: 3.7.1p2 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org Repo...

Hi, Just a usecase that I'm sure has been covered before but just in case its not an openssh solution would be very helpful. I was trying to install software on a server that was firewalled so no outbound http connections would work. I was also tunnelling via another server. Outbound ssh connections also were a convenient option. What would have been nice would be a remote version of

...max values have been previously sent from the client to server in a SSH_MSG_KEY_DH_GEX_REQUEST message. The corresponding section of code is in function kexgex_server in kexgexs.c: case SSH2_MSG_KEX_DH_GEX_REQUEST: debug("SSH2_MSG_KEX_DH_GEX_REQUEST received"); min = packet_get_int(); nbits = packet_get_int(); max = packet_get_int(); min = MAX(DH_GRP_MIN, min); max = MIN(DH_GRP_MAX, max); break; The bug is that, if the client sends values of 512 and 8192 for min and max in the SSH_MSG_KEY_DH_GEX_REQUEST message, then the client will e...

...+ want_reply = packet_get_char(); + debug("server received: %.100s request (reply=%d)",rtype, + (int)want_reply); + + if ( strcmp(rtype, "tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Check if the client is allowed to forward (this port) */ + if ( allow_remote_forwarding(address_to_bind, port_to_bind) ) { + /* Start listening on the port */ + channel_request_local_forwarding( port_to_bind, address_to_bind, + port_to_bind, 1, 1 ); + /* NOT REA...

...fatal("%s: ssh_packet_set_connection failed", __func__); -} - u_int packet_get_char(void) { diff --git a/opacket.h b/opacket.h index c6e5124..d711468 100755 --- a/opacket.h +++ b/opacket.h @@ -38,7 +38,6 @@ do { \ void packet_close(void); u_int packet_get_char(void); u_int packet_get_int(void); -void packet_set_connection(int, int); int packet_read_seqnr(u_int32_t *); int packet_read_poll_seqnr(u_int32_t *); void packet_process_incoming(const char *buf, u_int len); diff --git a/sshd.c b/sshd.c index 2795a2e..65b96d4 100755 --- a/sshd.c +++ b/sshd.c @@ -1906,9 +1906,12...

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...+{ + char *rtype; + char want_reply; + int success = 0; + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); + + if ( strcmp(rtype, "tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Check if the client is allowed to forward (this port) */ + if ( port_to_bind < IPPORT_RESERVED && !user_authenticated_as_root ) { + log("User tries to forward privileged port %d", port_to_bind); + packet_send_debug("Requested forwarding of port %d but user...

...int client_port; /* Client port */ + + unsigned int client_len, connected_len; + + int newch; + int i; + + debug("ssh2 server tries to open forwarded-tcpip channel."); + + /* Get rest of the packet */ + connected_address = packet_get_string(&connected_len); + connected_port = packet_get_int(); + client_address = packet_get_string(&client_len); + client_port = packet_get_int(); + packet_done(); + + /* Check if we have requested this remote forwarding */ + for (i = 0; i<num_permitted_opens; i++) { + if ( permitted_opens[i].listen_port == connected_port ) { + break; + } + } +...

When I encounter the problem with TCP port forwarding locking up, I'll see this on the client window (if I haven't invoked ssh with -q): chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected This is with Blowfish encryption. I have to kill and restart the client when this happens. Phil

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...============================= RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS...

...userauth_info_response_pam: no authentication context"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); + if (authctxt->failures >= AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp);

Hello I have few questions about openssh... 1/ there is probably bug in auth-password.c in auth_password function if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; /* deny if no user. */ if (pw == NULL) <----------- this should be first checked .... return 0; 2/ do I have

...Tue Feb 26 15:31:26 2002 *************** *** 134,141 **** --- 134,143 ---- unsigned int nresp = 0, rlen = 0, i = 0; char *resp; + /* if (authctxt == NULL) fatal("input_userauth_info_response_pam: no authentication context"); + */ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); _________________________________________________________________ Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com

...pam.c Tue Feb 26 15:31:26 2002 *************** *** 134,141 **** --- 134,143 ---- unsigned int nresp = 0, rlen = 0, i = 0; char *resp; + /* if (authctxt == NULL) fatal("input_userauth_info_response_pam: no authentication context"); + */ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...ssh/sshd_config.OPIE unix$ tracing reveals they are blocked on a read() to file descriptor 7, which is a unix domain socket according to lsof and this is what gdb has to say (no debug version, sorry): #0 0x0000002a968b1a92 in __read_nocancel () from /lib64/tls/libc.so.6 #1 0x000000552aadea26 in packet_get_int () from /usr/sbin/sshd #2 0x000000552aae3f75 in kex_input_kexinit () from /usr/sbin/sshd #3 0x000000552aacdb60 in kexgex_server () from /usr/sbin/sshd #4 0x0000002a96eb1c27 in converse () from /lib/security/pam_opie.so #5 0x0000002a96eb1d7a in pam_sm_authenticate () from /lib/security/pam_opie....

https://bugzilla.mindrot.org/show_bug.cgi?id=2163 Bug ID: 2163 Summary: unchecked returned value from pam_get_item() Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: PAM support Assignee: unassigned-bugs at