| diff -up openssh/sshd.c.ip-opts openssh/sshd.c |
| |
| |
| @@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh) |
| |
| if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts, |
| &option_size) >= 0 && option_size != 0) { |
| - text[0] = '\0'; |
| - for (i = 0; i < option_size; i++) |
| - snprintf(text + i*3, sizeof(text) - i*3, |
| - " %2.2x", opts[i]); |
| - fatal("Connection from %.100s port %d with IP opts: %.800s", |
| - ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text); |
| + i = 0; |
| + do { |
| + switch (opts[i]) { |
| + case 0: |
| + case 1: |
| + ++i; |
| + break; |
| + case 130: |
| + case 133: |
| + case 134: |
| + i += opts[i + 1]; |
| + break; |
| + default: |
| + /* Fail, fatally, if we detect either loose or strict |
| + * source routing options. */ |
| + text[0] = '\0'; |
| + for (i = 0; i < option_size; i++) |
| + snprintf(text + i*3, sizeof(text) - i*3, |
| + " %2.2x", opts[i]); |
| + fatal("Connection from %.100s port %d with IP options:%.800s", |
| + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text); |
| + } |
| + } while (i < option_size); |
| } |
| return; |
| #endif /* IP_OPTIONS */ |