comparison svr-x11fwd.c @ 1256:506f7681d0f8 coverity

merge up to date
author Matt Johnston <matt@ucc.asn.au>
date Tue, 15 Mar 2016 22:45:43 +0800
parents 428d83f2e5db
children 3a383aaeb487
comparison
equal deleted inserted replaced
1219:84cf9062718d 1256:506f7681d0f8
40 40
41 static void x11accept(struct Listener* listener, int sock); 41 static void x11accept(struct Listener* listener, int sock);
42 static int bindport(int fd); 42 static int bindport(int fd);
43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); 43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr);
44 44
45 /* Check untrusted xauth strings for metacharacters */
46 /* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */
47 static int
48 xauth_valid_string(const char *s)
49 {
50 size_t i;
51
52 for (i = 0; s[i] != '\0'; i++) {
53 if (!isalnum(s[i]) &&
54 s[i] != '.' && s[i] != ':' && s[i] != '/' &&
55 s[i] != '-' && s[i] != '_') {
56 return DROPBEAR_FAILURE;
57 }
58 }
59 return DROPBEAR_SUCCESS;
60 }
61
62
45 /* called as a request for a session channel, sets up listening X11 */ 63 /* called as a request for a session channel, sets up listening X11 */
46 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ 64 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
47 int x11req(struct ChanSess * chansess) { 65 int x11req(struct ChanSess * chansess) {
48 66
49 int fd; 67 int fd = -1;
50 68
51 if (!svr_pubkey_allows_x11fwd()) { 69 if (!svr_pubkey_allows_x11fwd()) {
52 return DROPBEAR_FAILURE; 70 return DROPBEAR_FAILURE;
53 } 71 }
54 72
60 chansess->x11singleconn = buf_getbool(ses.payload); 78 chansess->x11singleconn = buf_getbool(ses.payload);
61 chansess->x11authprot = buf_getstring(ses.payload, NULL); 79 chansess->x11authprot = buf_getstring(ses.payload, NULL);
62 chansess->x11authcookie = buf_getstring(ses.payload, NULL); 80 chansess->x11authcookie = buf_getstring(ses.payload, NULL);
63 chansess->x11screennum = buf_getint(ses.payload); 81 chansess->x11screennum = buf_getint(ses.payload);
64 82
83 if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE ||
84 xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) {
85 dropbear_log(LOG_WARNING, "Bad xauth request");
86 goto fail;
87 }
65 /* create listening socket */ 88 /* create listening socket */
66 fd = socket(PF_INET, SOCK_STREAM, 0); 89 fd = socket(PF_INET, SOCK_STREAM, 0);
67 if (fd < 0) { 90 if (fd < 0) {
68 goto fail; 91 goto fail;
69 } 92 }
140 if (chansess->x11listener == NULL) { 163 if (chansess->x11listener == NULL) {
141 return; 164 return;
142 } 165 }
143 166
144 /* create the DISPLAY string */ 167 /* create the DISPLAY string */
145 val = snprintf(display, sizeof(display), "localhost:%d.%d", 168 val = snprintf(display, sizeof(display), "localhost:%d.%u",
146 chansess->x11port - X11BASEPORT, chansess->x11screennum); 169 chansess->x11port - X11BASEPORT, chansess->x11screennum);
147 if (val < 0 || val >= (int)sizeof(display)) { 170 if (val < 0 || val >= (int)sizeof(display)) {
148 /* string was truncated */ 171 /* string was truncated */
149 return; 172 return;
150 } 173 }
151 174
152 addnewvar("DISPLAY", display); 175 addnewvar("DISPLAY", display);
153 176
154 /* create the xauth string */ 177 /* create the xauth string */
155 val = snprintf(display, sizeof(display), "unix:%d.%d", 178 val = snprintf(display, sizeof(display), "unix:%d.%u",
156 chansess->x11port - X11BASEPORT, chansess->x11screennum); 179 chansess->x11port - X11BASEPORT, chansess->x11screennum);
157 if (val < 0 || val >= (int)sizeof(display)) { 180 if (val < 0 || val >= (int)sizeof(display)) {
158 /* string was truncated */ 181 /* string was truncated */
159 return; 182 return;
160 } 183 }
161 184
162 /* popen is a nice function - code is strongly based on OpenSSH's */ 185 /* code is strongly based on OpenSSH's */
163 authprog = popen(XAUTH_COMMAND, "w"); 186 authprog = popen(XAUTH_COMMAND, "w");
164 if (authprog) { 187 if (authprog) {
165 fprintf(authprog, "add %s %s %s\n", 188 fprintf(authprog, "add %s %s %s\n",
166 display, chansess->x11authprot, chansess->x11authcookie); 189 display, chansess->x11authprot, chansess->x11authcookie);
167 pclose(authprog); 190 pclose(authprog);