messages: Reject tcpip-forward requests as client

When the session is a client session, reject tcpip-forward requests. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-25 11:09:07 +02:00 · 2019-06-25 11:09:07 +02:00 · 1aef599ab1
--- a/src/messages.c
+++ b/src/messages.c
@ -1491,12 +1491,18 @@ SSH_PACKET_CALLBACK(ssh_packet_global_request){
    msg->type = SSH_REQUEST_GLOBAL;

    if (strcmp(request, "tcpip-forward") == 0) {
+
+        /* According to RFC4254, the client SHOULD reject this message */
+        if (session->client) {
+            goto reply_with_failure;
+        }
+
        r = ssh_buffer_unpack(packet, "sd",
                &msg->global_request.bind_address,
                &msg->global_request.bind_port
                );
        if (r != SSH_OK){
-            goto error;
+            goto reply_with_failure;
        }
        msg->global_request.type = SSH_GLOBAL_REQUEST_TCPIP_FORWARD;
        msg->global_request.want_reply = want_reply;
@ -1516,11 +1522,17 @@ SSH_PACKET_CALLBACK(ssh_packet_global_request){
            return rc;
        }
    } else if (strcmp(request, "cancel-tcpip-forward") == 0) {
+
+        /* According to RFC4254, the client SHOULD reject this message */
+        if (session->client) {
+            goto reply_with_failure;
+        }
+
        r = ssh_buffer_unpack(packet, "sd",
                &msg->global_request.bind_address,
                &msg->global_request.bind_port);
        if (r != SSH_OK){
-            goto error;
+            goto reply_with_failure;
        }
        msg->global_request.type = SSH_GLOBAL_REQUEST_CANCEL_TCPIP_FORWARD;
        msg->global_request.want_reply = want_reply;