diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2020-05-27 22:37:54 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2020-05-27 22:37:54 +0000 |
commit | 8a040f09fe7cce00d1cf98339d7c9bc01bece60e (patch) | |
tree | 545ebc47f485afb86e0cce0a4e6319c2d2425c3e | |
parent | c324a231e451d2ac16f4dd7a211c914a116ddf58 (diff) |
fix Include before Match in sshd_config; bz#3122 patch from Jakub Jelen
-rw-r--r-- | usr.bin/ssh/servconf.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 581575a5670..4e5e94a84f8 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.364 2020/05/27 21:59:11 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.365 2020/05/27 22:37:53 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -512,6 +512,7 @@ typedef enum { #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */ +#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */ /* Textual representation of the tokens. */ static struct { @@ -1198,7 +1199,7 @@ static const struct multistate multistate_tcpfwd[] = { static int process_server_config_line_depth(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, - struct connection_info *connectinfo, int inc_flags, int depth, + struct connection_info *connectinfo, int *inc_flags, int depth, struct include_list *includes) { char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; @@ -1935,7 +1936,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, parse_server_config_depth(options, item->filename, item->contents, includes, connectinfo, - (oactive ? 0 : SSHCFG_NEVERMATCH), + (*inc_flags & SSHCFG_MATCH_ONLY + ? SSHCFG_MATCH_ONLY : (oactive + ? 0 : SSHCFG_NEVERMATCH)), activep, depth + 1); } found = 1; @@ -1983,7 +1986,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, parse_server_config_depth(options, item->filename, item->contents, includes, connectinfo, - (oactive ? 0 : SSHCFG_NEVERMATCH), + (*inc_flags & SSHCFG_MATCH_ONLY + ? SSHCFG_MATCH_ONLY : (oactive + ? 0 : SSHCFG_NEVERMATCH)), activep, depth + 1); *activep = oactive; TAILQ_INSERT_TAIL(includes, item, entry); @@ -2001,11 +2006,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, if (cmdline) fatal("Match directive not supported as a command-line " "option"); - value = match_cfg_line(&cp, linenum, connectinfo); + value = match_cfg_line(&cp, linenum, + (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo)); if (value < 0) fatal("%s line %d: Bad Match condition", filename, linenum); - *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; + *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; + /* The MATCH_ONLY is applicable only until the first match block */ + *inc_flags &= ~SSHCFG_MATCH_ONLY; break; case sPermitListen: @@ -2304,8 +2312,10 @@ process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, struct connection_info *connectinfo, struct include_list *includes) { + int inc_flags = 0; + return process_server_config_line_depth(options, line, filename, - linenum, activep, connectinfo, 0, 0, includes); + linenum, activep, connectinfo, &inc_flags, 0, includes); } @@ -2510,14 +2520,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename, if (depth < 0 || depth > SERVCONF_MAX_DEPTH) fatal("Too many recursive configuration includes"); - debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf)); + debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf), + (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : "")); if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) fatal("%s: sshbuf_dup_string failed", __func__); linenum = 1; while ((cp = strsep(&cbuf, "\n")) != NULL) { if (process_server_config_line_depth(options, cp, - filename, linenum++, activep, connectinfo, flags, + filename, linenum++, activep, connectinfo, &flags, depth, includes) != 0) bad_options++; } @@ -2534,7 +2545,7 @@ parse_server_config(ServerOptions *options, const char *filename, { int active = connectinfo ? 0 : 1; parse_server_config_depth(options, filename, conf, includes, - connectinfo, 0, &active, 0); + connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0); process_queued_listen_addrs(options); } |