If someone creates a reverse tcp forwarding channel by ssh into an openwrt dropbear server, bad things are happening.
the dropbear process will crash on connecting to the binded port. Even worse, a connection with reverse tcp reverse forwarding cannot be created if GatewayPorts is set to 1 in /etc/config/dropbear.
Surely, there are bugs in dropbear.
Using gdb to find out whre the bugs are is not an easy job as there is no enough space left out on my router, but eventually I beat it.
This is the patch:
--- dropbear_1/svr-tcpfwd.c 2011-03-02 21:23:36.000000000 +0800 +++ dropbear-0.53.1/svr-tcpfwd.c 2011-08-11 01:45:17.000000000 +0800 @@ -211,7 +211,7 @@ tcpinfo->tcp_type = forwarded; if (!opts.listen_fwd_all - || (strcmp(tcpinfo->listenaddr, "localhost") == 0) ) { + || (strcmp(bindaddr, "localhost") == 0) ) { // NULL means "localhost only" tcpinfo->listenaddr = NULL; } @@ -221,6 +221,7 @@ } ret = listen_tcpfwd(tcpinfo); + tcpinfo->listenaddr = NULL; out: if (ret == DROPBEAR_FAILURE) { diff -ur dropbear_1/tcp-accept.c dropbear-0.53.1/tcp-accept.c --- dropbear_1/tcp-accept.c 2011-03-02 21:23:36.000000000 +0800 +++ dropbear-0.53.1/tcp-accept.c 2011-08-11 01:45:37.000000000 +0800 @@ -80,6 +80,7 @@ addr = tcpinfo->listenaddr; port = tcpinfo->listenport; } + if (!addr) addr = ""; buf_putstring(ses.writepayload, addr, strlen(addr)); buf_putint(ses.writepayload, port); |
There are three modifications.
1st. tcpinfo->listenaddr is used without inited. this might be typo. Use bindaddr , obviously.
2nd. to avoid double free, set tcpinfo->listenaddr to NULL after use as there are codes like free(tcpinfo->listenaddr) somewhere. this might take no effect but won’t take any disadvantage.
3rd. protect null string usage in tcp-accept.c