openwrt dropbear bug of reverse tcp forwarding.
If someone creates a reverse tcp forwarding channel by ssh into an openwrt dropbear server, bad things are happening.
the dropbear process will crash on connecting to the binded port. Even worse, a connection with reverse tcp reverse forwarding cannot be created if GatewayPorts is set to 1 in /etc/config/dropbear.
Surely, there are bugs in dropbear.
Using gdb to find out whre the bugs are is not an easy job as there is no enough space left out on my router, but eventually I beat it.
This is the patch:
--- dropbear_1/svr-tcpfwd.c 2011-03-02 21:23:36.000000000 +0800 +++ dropbear-0.53.1/svr-tcpfwd.c 2011-08-11 01:45:17.000000000 +0800 @@ -211,7 +211,7 @@ tcpinfo->tcp_type = forwarded; if (!opts.listen_fwd_all - || (strcmp(tcpinfo->listenaddr, "localhost") == 0) ) { + || (strcmp(bindaddr, "localhost") == 0) ) { // NULL means "localhost only" tcpinfo->listenaddr = NULL; } @@ -221,6 +221,7 @@ } ret = listen_tcpfwd(tcpinfo); + tcpinfo->listenaddr = NULL; out: if (ret == DROPBEAR_FAILURE) { diff -ur dropbear_1/tcp-accept.c dropbear-0.53.1/tcp-accept.c --- dropbear_1/tcp-accept.c 2011-03-02 21:23:36.000000000 +0800 +++ dropbear-0.53.1/tcp-accept.c 2011-08-11 01:45:37.000000000 +0800 @@ -80,6 +80,7 @@ addr = tcpinfo->listenaddr; port = tcpinfo->listenport; } + if (!addr) addr = ""; buf_putstring(ses.writepayload, addr, strlen(addr)); buf_putint(ses.writepayload, port);
There are three modifications.
1st. tcpinfo->listenaddr is used without inited. this might be typo. Use bindaddr , obviously.
2nd. to avoid double free, set tcpinfo->listenaddr to NULL after use as there are codes like free(tcpinfo->listenaddr) somewhere. this might take no effect but won’t take any disadvantage.
3rd. protect null string usage in tcp-accept.c
Seriously speaking I like your post. You simple shared code that can be helpful for me. I will bookmark it. Thanks for this for I gained knowledge on it.
site Vertical Blinds
If someone creates a reverse tcp forwarding channel by ssh into an openwrt dropbear server, bad things are happening. the dropbear process will crash on connecting to the binded port. Even worse, a connection with reverse tcp reverse forwarding cannot be created if GatewayPorts is set to 1 in /etc/config/dropbear.
i really like your post in your blog. It seems that your concentrating only in one topic that you are talking about. Creating new channels is not an easy way actually. Your blog is very interesting! I am looking forward for your updates.
A kind cool process do the dropbear were shared with this blog. It would be okay also of connecting to the blinded port neither. Thanks for the stuff.
Creating new channels is not an easy way actually. Your blog is very interesting! I am looking forward for your updates.Thanks for this.
For me i wanted to write a quick note to express my thank you . I’m really impressed by a blog unique and perfectly chosen and organized…Thank you so much!!!
Good post! If someone creates a reverse tcp forwarding channel by ssh into an openwrt dropbear server, bad things are happening. the dropbear process will crash on connecting to the binded port. Anyway, thanks for sharing.
This article really did switch the light on for me as far as this specific subject matter goes.I love it!.Thanks!!!
Useful information shared..I am very pleased to study this article..many thanks for giving us nice information.
african mango