Mercurial > dropbear
comparison svr-x11fwd.c @ 1256:506f7681d0f8 coverity
merge up to date
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 15 Mar 2016 22:45:43 +0800 |
parents | 428d83f2e5db |
children | 3a383aaeb487 |
comparison
equal
deleted
inserted
replaced
1219:84cf9062718d | 1256:506f7681d0f8 |
---|---|
40 | 40 |
41 static void x11accept(struct Listener* listener, int sock); | 41 static void x11accept(struct Listener* listener, int sock); |
42 static int bindport(int fd); | 42 static int bindport(int fd); |
43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); | 43 static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); |
44 | 44 |
45 /* Check untrusted xauth strings for metacharacters */ | |
46 /* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */ | |
47 static int | |
48 xauth_valid_string(const char *s) | |
49 { | |
50 size_t i; | |
51 | |
52 for (i = 0; s[i] != '\0'; i++) { | |
53 if (!isalnum(s[i]) && | |
54 s[i] != '.' && s[i] != ':' && s[i] != '/' && | |
55 s[i] != '-' && s[i] != '_') { | |
56 return DROPBEAR_FAILURE; | |
57 } | |
58 } | |
59 return DROPBEAR_SUCCESS; | |
60 } | |
61 | |
62 | |
45 /* called as a request for a session channel, sets up listening X11 */ | 63 /* called as a request for a session channel, sets up listening X11 */ |
46 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ | 64 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ |
47 int x11req(struct ChanSess * chansess) { | 65 int x11req(struct ChanSess * chansess) { |
48 | 66 |
49 int fd; | 67 int fd = -1; |
50 | 68 |
51 if (!svr_pubkey_allows_x11fwd()) { | 69 if (!svr_pubkey_allows_x11fwd()) { |
52 return DROPBEAR_FAILURE; | 70 return DROPBEAR_FAILURE; |
53 } | 71 } |
54 | 72 |
60 chansess->x11singleconn = buf_getbool(ses.payload); | 78 chansess->x11singleconn = buf_getbool(ses.payload); |
61 chansess->x11authprot = buf_getstring(ses.payload, NULL); | 79 chansess->x11authprot = buf_getstring(ses.payload, NULL); |
62 chansess->x11authcookie = buf_getstring(ses.payload, NULL); | 80 chansess->x11authcookie = buf_getstring(ses.payload, NULL); |
63 chansess->x11screennum = buf_getint(ses.payload); | 81 chansess->x11screennum = buf_getint(ses.payload); |
64 | 82 |
83 if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE || | |
84 xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) { | |
85 dropbear_log(LOG_WARNING, "Bad xauth request"); | |
86 goto fail; | |
87 } | |
65 /* create listening socket */ | 88 /* create listening socket */ |
66 fd = socket(PF_INET, SOCK_STREAM, 0); | 89 fd = socket(PF_INET, SOCK_STREAM, 0); |
67 if (fd < 0) { | 90 if (fd < 0) { |
68 goto fail; | 91 goto fail; |
69 } | 92 } |
140 if (chansess->x11listener == NULL) { | 163 if (chansess->x11listener == NULL) { |
141 return; | 164 return; |
142 } | 165 } |
143 | 166 |
144 /* create the DISPLAY string */ | 167 /* create the DISPLAY string */ |
145 val = snprintf(display, sizeof(display), "localhost:%d.%d", | 168 val = snprintf(display, sizeof(display), "localhost:%d.%u", |
146 chansess->x11port - X11BASEPORT, chansess->x11screennum); | 169 chansess->x11port - X11BASEPORT, chansess->x11screennum); |
147 if (val < 0 || val >= (int)sizeof(display)) { | 170 if (val < 0 || val >= (int)sizeof(display)) { |
148 /* string was truncated */ | 171 /* string was truncated */ |
149 return; | 172 return; |
150 } | 173 } |
151 | 174 |
152 addnewvar("DISPLAY", display); | 175 addnewvar("DISPLAY", display); |
153 | 176 |
154 /* create the xauth string */ | 177 /* create the xauth string */ |
155 val = snprintf(display, sizeof(display), "unix:%d.%d", | 178 val = snprintf(display, sizeof(display), "unix:%d.%u", |
156 chansess->x11port - X11BASEPORT, chansess->x11screennum); | 179 chansess->x11port - X11BASEPORT, chansess->x11screennum); |
157 if (val < 0 || val >= (int)sizeof(display)) { | 180 if (val < 0 || val >= (int)sizeof(display)) { |
158 /* string was truncated */ | 181 /* string was truncated */ |
159 return; | 182 return; |
160 } | 183 } |
161 | 184 |
162 /* popen is a nice function - code is strongly based on OpenSSH's */ | 185 /* code is strongly based on OpenSSH's */ |
163 authprog = popen(XAUTH_COMMAND, "w"); | 186 authprog = popen(XAUTH_COMMAND, "w"); |
164 if (authprog) { | 187 if (authprog) { |
165 fprintf(authprog, "add %s %s %s\n", | 188 fprintf(authprog, "add %s %s %s\n", |
166 display, chansess->x11authprot, chansess->x11authcookie); | 189 display, chansess->x11authprot, chansess->x11authcookie); |
167 pclose(authprog); | 190 pclose(authprog); |