svr_getopts should either support bundling or fail if bundling is used

Guilhem Moulin guilhem at fripost.org
Wed Oct 14 03:13:31 AWST 2015


Hi,

It's fine not to implement bundling in dropbear's option parsing
function (svr-runopts.c's svr_getopts), but it should at least croak if
argv[i][2] != '\0'.  For instance

    dropbear -rdropbear.key -p127.0.0.1:2222 -sjk

should either fail, or be parsed as

    dropbear -r dropbear.key -p 127.0.0.1:2222 -s -j -k

if bundling is allowed.


This might have security implications, as the current parsing mechanism
might make a user think that passing ‘-sjk’ disables port forwarding,
which is not the case (the trailing ‘jk’ is ignored).

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20151013/06af2fd0/attachment.sig 


More information about the Dropbear mailing list