Hello community,
here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2015-12-06 07:44:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dropbear (Old)
and /work/SRC/openSUSE:Factory/.dropbear.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2015-08-21 07:42:16.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2015-12-06 07:44:04.000000000 +0100
@@ -1,0 +2,29 @@
+Fri Dec 4 15:39:10 UTC 2015 - thardeck@suse.com
+
+- updated to upstream version 2015.71
+ * Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
+ * Fix crash on exit when -p address:port is used, broke in 2015.68
+ * Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev
+ * Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert,
+ broke in 2015.70
+ * Fix server race condition that could cause sessions to hang on exit,
+ https://github.com/robotframework/SSHLibrary/issues/128
+
+-------------------------------------------------------------------
+Thu Nov 26 15:40:52 UTC 2015 - thardeck@suse.com
+
+- updated to upstream version 2015.70
+ * Fix server password authentication on Linux, broke in 2015.69
+ * Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68)
+ * Avoid hang on session close when multiple sessions are started, affects Qt Creator
+ Patch from Andrzej Szombierski
+ * Reduce per-channel memory consumption in common case, increase default
+ channel limit from 100 to 1000 which should improve SOCKS forwarding for modern
+ webpages
+ * Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin
+ * Manpage improvements from Guilhem Moulin
+ * Build fixes for Android from Mike Frysinger
+ * Don't display the MOTD when an explicit command is run from Guilhem Moulin
+ * Check curve25519 shared secret isn't zero
+
+-------------------------------------------------------------------
Old:
----
dropbear-2015.68.tar.bz2
dropbear-2015.68.tar.bz2.asc
New:
----
dropbear-2015.71.tar.bz2
dropbear-2015.71.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dropbear.spec ++++++
--- /var/tmp/diff_new_pack.nFWLTF/_old 2015-12-06 07:44:05.000000000 +0100
+++ /var/tmp/diff_new_pack.nFWLTF/_new 2015-12-06 07:44:05.000000000 +0100
@@ -21,7 +21,7 @@
%endif
Name: dropbear
-Version: 2015.68
+Version: 2015.71
Release: 0
Summary: A relatively small SSH 2 server and client
License: MIT
++++++ dropbear-2015.68.tar.bz2 -> dropbear-2015.71.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/.hg_archival.txt new/dropbear-2015.71/.hg_archival.txt
--- old/dropbear-2015.68/.hg_archival.txt 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/.hg_archival.txt 2015-12-03 14:23:59.000000000 +0100
@@ -1,6 +1,6 @@
repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878
-node: 809feaa9408f036734129c77f2b3c7e779d4f099
+node: 9a944a243f08be6b22d32f166a0690eb4872462b
branch: default
-latesttag: DROPBEAR_2015.67
-latesttagdistance: 105
-changessincelatesttag: 125
+latesttag: DROPBEAR_2015.70
+latesttagdistance: 10
+changessincelatesttag: 11
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/.hgsigs new/dropbear-2015.71/.hgsigs
--- old/dropbear-2015.68/.hgsigs 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/.hgsigs 2015-12-03 14:23:59.000000000 +0100
@@ -14,3 +14,7 @@
caac692b366c153cea0e9cd59aa2d79a7d843d4e 0 iEYEABECAAYFAlPk1mcACgkQjPn4sExkf7wLpgCeOqMYqpkf4lYUuyrn9VYThNpc7PkAn3JOSNgIqkKUcmSy6FstrI8jwJzq
2d421bc0545d1be6d59a4ebfe61606d94b124b0c 0 iEYEABECAAYFAlRJDCQACgkQjPn4sExkf7xUYACcCwVJkYWXJn5x/D5A+qMupy778lEAn0rg1oNiq96YU/4jOPsS5IMItihu
1d2d81b1b7c1b100e9c369e40b9fa5b2d491eea9 0 iEYEABECAAYFAlTKOKUACgkQjPn4sExkf7xWMACfYFozyHiRk5GaocTa5z6Ws1uyB4kAoLubxoxcnM3E7AA9mHAzc3OB5M0Y
+a687f835236c7025b5cb2968fe9c4ebc4a49f0ea 0 iQIcBAABCgAGBQJVxg62AAoJEPSYMBLCC7qsC+EQAKw8YWogrVHhIFct2fx/nqybSPVrhFyKFKHhq7K/lZeVm0MGIWdSyVcQgP+Hs2jWNBWzG4AJ1BtifHWQH6IDh7W5RuwOXu5KobgPW9BsN3EVE9KIR+xe9jCAmFl9rIw0tNpy1q6R0TpYXx/sWlMilxecyEGyr2Ias2Sm19aY2mOEv8PLfh9BLfrJEKtt2NxL7TX8ScPwJXJMmVIQjN9WK4Ptx3tjcGNRivEVR/dftP5sJx2DBJx9avyDqrfloMW7Q7sPgJ88MPruCDxedOkbzH7JdHe3Humr2G4LsI0KPU7pNN6EBDjhJ+SVXuOyAgu5j/C0R+0ggGfjSrjDu8WjHyclFlwwu2MSGuHf111I1qkLtaRY3H1FZO5Y2gbLwBLQ82svA4klcBIxtP5jKAZDTh1jQMYsfKotvZdawOWrPDkNmKoUg2JXLHAtj9Dd0uGIhqfspZY3qlpzxw9uCkljWclUBD097ygotwAb2XdLoAWZ3KdvoPM+k448vIAQ7Q/aqcnm/dLQJr3Le029gpkOKoWKaQTlk0itrRGpgETHAhE2LnmWxYSKp6NYSKMgEONbfDiVNLyDTOlvpPiEb20RsOP64xA4wVDGmPenCURmMYoepQK6oJdtkNtCdth2S49KxPQAC+Dem4YZ7b+5b+cXrK5Nz7elBxZzRQWdjmZ4JDQK
+ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA
+af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe
+5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/CHANGES new/dropbear-2015.71/CHANGES
--- old/dropbear-2015.68/CHANGES 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/CHANGES 2015-12-03 14:23:59.000000000 +0100
@@ -1,3 +1,42 @@
+2015.71 - 3 December 2015
+
+- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
+
+- Fix crash on exit when -p address:port is used, broke in 2015.68
+
+- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev
+
+- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert,
+ broke in 2015.70
+
+- Fix server race condition that could cause sessions to hang on exit,
+ https://github.com/robotframework/SSHLibrary/issues/128
+
+2015.70 - 26 November 2015
+
+- Fix server password authentication on Linux, broke in 2015.69
+
+2015.69 - 25 November 2015
+
+- Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68)
+
+- Avoid hang on session close when multiple sessions are started, affects Qt Creator
+ Patch from Andrzej Szombierski
+
+- Reduce per-channel memory consumption in common case, increase default
+ channel limit from 100 to 1000 which should improve SOCKS forwarding for modern
+ webpages
+
+- Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin
+
+- Manpage improvements from Guilhem Moulin
+
+- Build fixes for Android from Mike Frysinger
+
+- Don't display the MOTD when an explicit command is run from Guilhem Moulin
+
+- Check curve25519 shared secret isn't zero
+
2015.68 - Saturday 8 August 2015
- Reduce local data copying for improved efficiency. Measured 30%
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/circbuffer.c new/dropbear-2015.71/circbuffer.c
--- old/dropbear-2015.68/circbuffer.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/circbuffer.c 2015-12-03 14:23:59.000000000 +0100
@@ -37,9 +37,8 @@
}
cbuf = (circbuffer*)m_malloc(sizeof(circbuffer));
- if (size > 0) {
- cbuf->data = (unsigned char*)m_malloc(size);
- }
+ /* data is malloced on first write */
+ cbuf->data = NULL;
cbuf->used = 0;
cbuf->readpos = 0;
cbuf->writepos = 0;
@@ -50,8 +49,10 @@
void cbuf_free(circbuffer * cbuf) {
- m_burn(cbuf->data, cbuf->size);
- m_free(cbuf->data);
+ if (cbuf->data) {
+ m_burn(cbuf->data, cbuf->size);
+ m_free(cbuf->data);
+ }
m_free(cbuf);
}
@@ -106,6 +107,11 @@
dropbear_exit("Bad cbuf write");
}
+ if (!cbuf->data) {
+ /* lazy allocation */
+ cbuf->data = (unsigned char*)m_malloc(cbuf->size);
+ }
+
return &cbuf->data[cbuf->writepos];
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/cli-auth.c new/dropbear-2015.71/cli-auth.c
--- old/dropbear-2015.68/cli-auth.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/cli-auth.c 2015-12-03 14:23:59.000000000 +0100
@@ -324,6 +324,7 @@
return DROPBEAR_FAILURE;
}
+#if defined(ENABLE_CLI_PASSWORD_AUTH) || defined(ENABLE_CLI_INTERACT_AUTH)
/* A helper for getpass() that exits if the user cancels. The returned
* password is statically allocated by getpass() */
char* getpass_or_cancel(char* prompt)
@@ -347,3 +348,4 @@
}
return password;
}
+#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/cli-runopts.c new/dropbear-2015.71/cli-runopts.c
--- old/dropbear-2015.68/cli-runopts.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/cli-runopts.c 2015-12-03 14:23:59.000000000 +0100
@@ -105,25 +105,30 @@
void cli_getopts(int argc, char ** argv) {
unsigned int i, j;
char ** next = 0;
- unsigned int cmdlen;
+ enum {
#ifdef ENABLE_CLI_PUBKEY_AUTH
- int nextiskey = 0; /* A flag if the next argument is a keyfile */
+ OPT_AUTHKEY,
#endif
#ifdef ENABLE_CLI_LOCALTCPFWD
- int nextislocal = 0;
+ OPT_LOCALTCPFWD,
#endif
#ifdef ENABLE_CLI_REMOTETCPFWD
- int nextisremote = 0;
+ OPT_REMOTETCPFWD,
#endif
#ifdef ENABLE_CLI_NETCAT
- int nextisnetcat = 0;
+ OPT_NETCAT,
#endif
+ /* a flag (no arg) if 'next' is NULL, a string-valued option otherwise */
+ OPT_OTHER
+ } opt;
+ unsigned int cmdlen;
char* dummy = NULL; /* Not used for anything real */
char* recv_window_arg = NULL;
char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL;
char *host_arg = NULL;
+ char c;
/* see printhelp() for options */
cli_opts.progname = argv[0];
@@ -172,54 +177,23 @@
fill_own_user();
- /* Iterate all the arguments */
for (i = 1; i < (unsigned int)argc; i++) {
-#ifdef ENABLE_CLI_PUBKEY_AUTH
- if (nextiskey) {
- /* Load a hostkey since the previous argument was "-i" */
- loadidentityfile(argv[i], 1);
- nextiskey = 0;
- continue;
- }
-#endif
-#ifdef ENABLE_CLI_REMOTETCPFWD
- if (nextisremote) {
- TRACE(("nextisremote true"))
- addforward(argv[i], cli_opts.remotefwds);
- nextisremote = 0;
- continue;
- }
-#endif
-#ifdef ENABLE_CLI_LOCALTCPFWD
- if (nextislocal) {
- TRACE(("nextislocal true"))
- addforward(argv[i], cli_opts.localfwds);
- nextislocal = 0;
- continue;
- }
-#endif
-#ifdef ENABLE_CLI_NETCAT
- if (nextisnetcat) {
- TRACE(("nextisnetcat true"))
- add_netcat(argv[i]);
- nextisnetcat = 0;
- continue;
- }
-#endif
- if (next) {
- /* The previous flag set a value to assign */
- *next = argv[i];
- if (*next == NULL) {
- dropbear_exit("Invalid null argument");
+ /* Handle non-flag arguments such as hostname or commands for the remote host */
+ if (argv[i][0] != '-')
+ {
+ if (host_arg == NULL) {
+ host_arg = argv[i];
+ continue;
}
- next = NULL;
- continue;
+ /* Commands to pass to the remote host. No more flag handling,
+ commands are consumed below */
+ break;
}
- if (argv[i][0] == '-') {
- /* A flag *waves* */
-
- switch (argv[i][1]) {
+ /* Begins with '-' */
+ opt = OPT_OTHER;
+ for (j = 1; (c = argv[i][j]) != '\0' && !next && opt == OPT_OTHER; j++) {
+ switch (c) {
case 'y': /* always accept the remote hostkey */
if (cli_opts.always_accept_key) {
/* twice means no checking at all */
@@ -232,12 +206,7 @@
break;
#ifdef ENABLE_CLI_PUBKEY_AUTH
case 'i': /* an identityfile */
- /* Keep scp happy when it changes "-i file" to "-ifile" */
- if (strlen(argv[i]) > 2) {
- loadidentityfile(&argv[i][2], 1);
- } else {
- nextiskey = 1;
- }
+ opt = OPT_AUTHKEY;
break;
#endif
case 't': /* we want a pty */
@@ -257,7 +226,7 @@
break;
#ifdef ENABLE_CLI_LOCALTCPFWD
case 'L':
- nextislocal = 1;
+ opt = OPT_LOCALTCPFWD;
break;
case 'g':
opts.listen_fwd_all = 1;
@@ -265,12 +234,12 @@
#endif
#ifdef ENABLE_CLI_REMOTETCPFWD
case 'R':
- nextisremote = 1;
+ opt = OPT_REMOTETCPFWD;
break;
#endif
#ifdef ENABLE_CLI_NETCAT
case 'B':
- nextisnetcat = 1;
+ opt = OPT_NETCAT;
break;
#endif
#ifdef ENABLE_CLI_PROXYCMD
@@ -336,50 +305,85 @@
case 'b':
next = &dummy;
default:
- fprintf(stderr,
- "WARNING: Ignoring unknown argument '%s'\n", argv[i]);
+ fprintf(stderr,
+ "WARNING: Ignoring unknown option -%c\n", c);
break;
} /* Switch */
-
- /* Now we handle args where they might be "-luser" (no spaces)*/
- if (next && strlen(argv[i]) > 2) {
- *next = &argv[i][2];
- next = NULL;
- }
+ }
- continue; /* next argument */
+ if (!next && opt == OPT_OTHER) /* got a flag */
+ continue;
- } else {
- TRACE(("non-flag arg: '%s'", argv[i]))
+ if (c == '\0') {
+ i++;
+ j = 0;
+ if (!argv[i])
+ dropbear_exit("Missing argument");
+ }
- /* Either the hostname or commands */
+#ifdef ENABLE_CLI_PUBKEY_AUTH
+ if (opt == OPT_AUTHKEY) {
+ TRACE(("opt authkey"))
+ loadidentityfile(&argv[i][j], 1);
+ }
+ else
+#endif
+#ifdef ENABLE_CLI_REMOTETCPFWD
+ if (opt == OPT_REMOTETCPFWD) {
+ TRACE(("opt remotetcpfwd"))
+ addforward(&argv[i][j], cli_opts.remotefwds);
+ }
+ else
+#endif
+#ifdef ENABLE_CLI_LOCALTCPFWD
+ if (opt == OPT_LOCALTCPFWD) {
+ TRACE(("opt localtcpfwd"))
+ addforward(&argv[i][j], cli_opts.localfwds);
+ }
+ else
+#endif
+#ifdef ENABLE_CLI_NETCAT
+ if (opt == OPT_NETCAT) {
+ TRACE(("opt netcat"))
+ add_netcat(&argv[i][j]);
+ }
+ else
+#endif
+ if (next) {
+ /* The previous flag set a value to assign */
+ *next = &argv[i][j];
+ if (*next == NULL)
+ dropbear_exit("Invalid null argument");
+ next = NULL;
+ }
+ }
- if (host_arg == NULL) {
- host_arg = argv[i];
- } else {
+ /* Done with options/flags; now handle the hostname (which may not
+ * start with a hyphen) and optional command */
- /* this is part of the commands to send - after this we
- * don't parse any more options, and flags are sent as the
- * command */
- cmdlen = 0;
- for (j = i; j < (unsigned int)argc; j++) {
- cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */
- }
- /* Allocate the space */
- cli_opts.cmd = (char*)m_malloc(cmdlen);
- cli_opts.cmd[0] = '\0';
-
- /* Append all the bits */
- for (j = i; j < (unsigned int)argc; j++) {
- strlcat(cli_opts.cmd, argv[j], cmdlen);
- strlcat(cli_opts.cmd, " ", cmdlen);
- }
- /* It'll be null-terminated here */
+ if (host_arg == NULL) { /* missing hostname */
+ printhelp();
+ exit(EXIT_FAILURE);
+ }
+ TRACE(("host is: %s", host_arg))
- /* We've eaten all the options and flags */
- break;
- }
+ if (i < (unsigned int)argc) {
+ /* Build the command to send */
+ cmdlen = 0;
+ for (j = i; j < (unsigned int)argc; j++)
+ cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */
+
+ /* Allocate the space */
+ cli_opts.cmd = (char*)m_malloc(cmdlen);
+ cli_opts.cmd[0] = '\0';
+
+ /* Append all the bits */
+ for (j = i; j < (unsigned int)argc; j++) {
+ strlcat(cli_opts.cmd, argv[j], cmdlen);
+ strlcat(cli_opts.cmd, " ", cmdlen);
}
+ /* It'll be null-terminated here */
+ TRACE(("cmd is: %s", cli_opts.cmd))
}
/* And now a few sanity checks and setup */
@@ -388,11 +392,6 @@
parse_ciphers_macs();
#endif
- if (host_arg == NULL) {
- printhelp();
- exit(EXIT_FAILURE);
- }
-
#ifdef ENABLE_CLI_PROXYCMD
if (cli_opts.proxycmd) {
/* To match the common path of m_freeing it */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-channel.c new/dropbear-2015.71/common-channel.c
--- old/dropbear-2015.68/common-channel.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/common-channel.c 2015-12-03 14:23:59.000000000 +0100
@@ -42,7 +42,7 @@
static void send_msg_channel_open_confirmation(struct Channel* channel,
unsigned int recvwindow,
unsigned int recvmaxpacket);
-static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf,
+static int writechannel(struct Channel* channel, int fd, circbuffer *cbuf,
const unsigned char *moredata, unsigned int *morelen);
static void send_msg_channel_window_adjust(struct Channel *channel,
unsigned int incr);
@@ -100,15 +100,6 @@
TRACE(("leave chancleanup"))
}
-static void
-chan_initwritebuf(struct Channel *channel)
-{
- dropbear_assert(channel->writebuf->size == 0 && channel->recvwindow == 0);
- cbuf_free(channel->writebuf);
- channel->writebuf = cbuf_new(opts.recv_window);
- channel->recvwindow = opts.recv_window;
-}
-
/* Create a new channel entry, send a reply confirm or failure */
/* If remotechan, transwindow and transmaxpacket are not know (for a new
* outgoing connection, with them to be filled on confirmation), they should
@@ -167,8 +158,8 @@
newchan->await_open = 0;
newchan->flushing = 0;
- newchan->writebuf = cbuf_new(0); /* resized later by chan_initwritebuf */
- newchan->recvwindow = 0;
+ newchan->writebuf = cbuf_new(opts.recv_window);
+ newchan->recvwindow = opts.recv_window;
newchan->extrabuf = NULL; /* The user code can set it up */
newchan->recvdonelen = 0;
@@ -256,7 +247,6 @@
if (ses.channel_signal_pending) {
/* SIGCHLD can change channel state for server sessions */
do_check_close = 1;
- ses.channel_signal_pending = 0;
}
/* handle any channel closing etc */
@@ -378,7 +368,6 @@
{
channel->readfd = channel->writefd = sock;
channel->conn_pending = NULL;
- chan_initwritebuf(channel);
send_msg_channel_open_confirmation(channel, channel->recvwindow,
channel->recvmaxpacket);
TRACE(("leave channel_connect_done: success"))
@@ -435,7 +424,7 @@
}
#ifndef HAVE_WRITEV
-static void writechannel_fallback(struct Channel* channel, int fd, circbuffer *cbuf,
+static int writechannel_fallback(struct Channel* channel, int fd, circbuffer *cbuf,
const unsigned char *UNUSED(moredata), unsigned int *morelen) {
unsigned char *circ_p1, *circ_p2;
@@ -454,16 +443,18 @@
if (errno != EINTR && errno != EAGAIN) {
TRACE(("channel IO write error fd %d %s", fd, strerror(errno)))
close_chan_fd(channel, fd, SHUT_WR);
+ return DROPBEAR_FAILURE;
}
} else {
cbuf_incrread(cbuf, written);
channel->recvdonelen += written;
}
+ return DROPBEAR_SUCCESS;
}
#endif /* !HAVE_WRITEV */
#ifdef HAVE_WRITEV
-static void writechannel_writev(struct Channel* channel, int fd, circbuffer *cbuf,
+static int writechannel_writev(struct Channel* channel, int fd, circbuffer *cbuf,
const unsigned char *moredata, unsigned int *morelen) {
struct iovec iov[3];
@@ -502,7 +493,7 @@
From common_recv_msg_channel_data() then channelio().
The second call may not have any data to write, so we just return. */
TRACE(("leave writechannel, no data"))
- return;
+ return DROPBEAR_SUCCESS;
}
if (morelen) {
@@ -516,6 +507,7 @@
if (errno != EINTR && errno != EAGAIN) {
TRACE(("channel IO write error fd %d %s", fd, strerror(errno)))
close_chan_fd(channel, fd, SHUT_WR);
+ return DROPBEAR_FAILURE;
}
} else {
int cbuf_written = MIN(circ_len1+circ_len2, (unsigned int)written);
@@ -525,20 +517,22 @@
}
channel->recvdonelen += written;
}
-
+ return DROPBEAR_SUCCESS;
}
#endif /* HAVE_WRITEV */
/* Called to write data out to the local side of the channel.
Writes the circular buffer contents and also the "moredata" buffer
- if not null. Will ignore EAGAIN */
-static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf,
+ if not null. Will ignore EAGAIN.
+ Returns DROPBEAR_FAILURE if writing to fd had an error and the channel is being closed, DROPBEAR_SUCCESS otherwise */
+static int writechannel(struct Channel* channel, int fd, circbuffer *cbuf,
const unsigned char *moredata, unsigned int *morelen) {
+ int ret = DROPBEAR_SUCCESS;
TRACE(("enter writechannel fd %d", fd))
#ifdef HAVE_WRITEV
- writechannel_writev(channel, fd, cbuf, moredata, morelen);
+ ret = writechannel_writev(channel, fd, cbuf, moredata, morelen);
#else
- writechannel_fallback(channel, fd, cbuf, moredata, morelen);
+ ret = writechannel_fallback(channel, fd, cbuf, moredata, morelen);
#endif
/* Window adjust handling */
@@ -554,6 +548,7 @@
channel->recvwindow <= cbuf_getavail(channel->extrabuf));
TRACE(("leave writechannel"))
+ return ret;
}
@@ -828,6 +823,7 @@
unsigned int buflen;
unsigned int len;
unsigned int consumed;
+ int res;
TRACE(("enter recv_msg_channel_data"))
@@ -860,7 +856,7 @@
/* Attempt to write the data immediately without having to put it in the circular buffer */
consumed = datalen;
- writechannel(channel, fd, cbuf, buf_getptr(ses.payload, datalen), &consumed);
+ res = writechannel(channel, fd, cbuf, buf_getptr(ses.payload, datalen), &consumed);
datalen -= consumed;
buf_incrpos(ses.payload, consumed);
@@ -868,17 +864,20 @@
/* We may have to run throught twice, if the buffer wraps around. Can't
* just "leave it for next time" like with writechannel, since this
- * is payload data */
- len = datalen;
- while (len > 0) {
- buflen = cbuf_writelen(cbuf);
- buflen = MIN(buflen, len);
-
- memcpy(cbuf_writeptr(cbuf, buflen),
- buf_getptr(ses.payload, buflen), buflen);
- cbuf_incrwrite(cbuf, buflen);
- buf_incrpos(ses.payload, buflen);
- len -= buflen;
+ * is payload data.
+ * If the writechannel() failed then remaining data is discarded */
+ if (res == DROPBEAR_SUCCESS) {
+ len = datalen;
+ while (len > 0) {
+ buflen = cbuf_writelen(cbuf);
+ buflen = MIN(buflen, len);
+
+ memcpy(cbuf_writeptr(cbuf, buflen),
+ buf_getptr(ses.payload, buflen), buflen);
+ cbuf_incrwrite(cbuf, buflen);
+ buf_incrpos(ses.payload, buflen);
+ len -= buflen;
+ }
}
TRACE(("leave recv_msg_channel_data"))
@@ -970,6 +969,7 @@
if (channel == NULL) {
TRACE(("newchannel returned NULL"))
+ errtype = SSH_OPEN_RESOURCE_SHORTAGE;
goto failure;
}
@@ -991,8 +991,6 @@
channel->prio = DROPBEAR_CHANNEL_PRIO_BULK;
}
- chan_initwritebuf(channel);
-
/* success */
send_msg_channel_open_confirmation(channel, channel->recvwindow,
channel->recvmaxpacket);
@@ -1135,7 +1133,6 @@
/* Outbound opened channels don't make use of in-progress connections,
* we can set it up straight away */
- chan_initwritebuf(chan);
/* set fd non-blocking */
setnonblocking(fd);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-kex.c new/dropbear-2015.71/common-kex.c
--- old/dropbear-2015.68/common-kex.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/common-kex.c 2015-12-03 14:23:59.000000000 +0100
@@ -760,6 +760,7 @@
unsigned char out[CURVE25519_LEN];
const unsigned char* Q_C = NULL;
const unsigned char* Q_S = NULL;
+ char zeroes[CURVE25519_LEN] = {0};
if (buf_pub_them->len != CURVE25519_LEN)
{
@@ -767,6 +768,11 @@
}
curve25519_donna(out, param->priv, buf_pub_them->data);
+
+ if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) {
+ dropbear_exit("Bad curve25519");
+ }
+
m_mp_alloc_init_multi(&ses.dh_K, NULL);
bytes_to_mp(ses.dh_K, out, CURVE25519_LEN);
m_burn(out, sizeof(out));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-session.c new/dropbear-2015.71/common-session.c
--- old/dropbear-2015.68/common-session.c 2015-08-08 14:35:33.000000000 +0200
+++ new/dropbear-2015.71/common-session.c 2015-12-03 14:23:59.000000000 +0100
@@ -159,6 +159,17 @@
FD_ZERO(&readfd);
dropbear_assert(ses.payload == NULL);
+ /* We get woken up when signal handlers write to this pipe.
+ SIGCHLD in svr-chansession is the only one currently. */
+ FD_SET(ses.signal_pipe[0], &readfd);
+ ses.channel_signal_pending = 0;
+
+ /* set up for channels which can be read/written */
+ setchannelfds(&readfd, &writefd, writequeue_has_space);
+
+ /* Pending connections to test */
+ set_connect_fds(&writefd);
+
/* We delay reading from the input socket during initial setup until
after we have written out our initial KEXINIT packet (empty writequeue).
This means our initial packet can be in-flight while we're doing a blocking
@@ -170,19 +181,12 @@
&& writequeue_has_space) {
FD_SET(ses.sock_in, &readfd);
}
+
+ /* Ordering is important, this test must occur after any other function
+ might have queued packets (such as connection handlers) */
if (ses.sock_out != -1 && !isempty(&ses.writequeue)) {
FD_SET(ses.sock_out, &writefd);
}
-
- /* We get woken up when signal handlers write to this pipe.
- SIGCHLD in svr-chansession is the only one currently. */
- FD_SET(ses.signal_pipe[0], &readfd);
-
- /* set up for channels which can be read/written */
- setchannelfds(&readfd, &writefd, writequeue_has_space);
-
- /* Pending connections to test */
- set_connect_fds(&writefd);
val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout);
@@ -208,7 +212,9 @@
wake up the select() above. */
if (FD_ISSET(ses.signal_pipe[0], &readfd)) {
char x;
+ TRACE(("signal pipe set"))
while (read(ses.signal_pipe[0], &x, 1) > 0) {}
+ ses.channel_signal_pending = 1;
}
/* check for auth timeout, rekeying required etc */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/config.h.in new/dropbear-2015.71/config.h.in
--- old/dropbear-2015.68/config.h.in 2015-08-08 14:35:35.000000000 +0200
+++ new/dropbear-2015.71/config.h.in 2015-12-03 14:24:01.000000000 +0100
@@ -63,6 +63,9 @@
/* Define if gai_strerror() returns const char * */
#undef HAVE_CONST_GAI_STRERROR_PROTO
+/* crypt() function */
+#undef HAVE_CRYPT
+
/* Define to 1 if you have the