add correct patch for ip-opts

openssh-4.3p2-allow-ip-opts.patch

@@ -1,59 +0,0 @@
-From: Paul Moore <paul.moore@hp.com>
-Subject: OpenSSH: fix option handling on incoming connections
-
-OpenSSH rejects incoming connections if any IP options are present when the
-comments state that they are only concerned with source routing options.  This
-connection rejection causes problems with CIPSO which uses IP options to tag
-packets with security attributes.
-
-This patch modifies the check_ip_options() function to only fail if loose or
-strict source routing options are present, all other options are allowed.
-
-Signed-off-by: Paul Moore <paul.moore@hp.com>
-
----
- canohost.c |   23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-Index: openssh-4.3p2/canohost.c
-===================================================================
---- openssh-4.3p2.orig/canohost.c
-+++ openssh-4.3p2/canohost.c
-@@ -146,6 +146,7 @@ check_ip_options(int sock, char *ipaddr)
- 	u_int i;
- 	int ipproto;
- 	struct protoent *ip;
-+	u_int opt_iter;
- 
- 	if ((ip = getprotobyname("ip")) != NULL)
- 		ipproto = ip->p_proto;
-@@ -154,13 +155,23 @@ check_ip_options(int sock, char *ipaddr)
- 	option_size = sizeof(options);
- 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
- 	    &option_size) >= 0 && option_size != 0) {
--		text[0] = '\0';
--		for (i = 0; i < option_size; i++)
--			snprintf(text + i*3, sizeof(text) - i*3,
--			    " %2.2x", options[i]);
--		fatal("Connection from %.100s with IP options:%.800s",
--		    ipaddr, text);
-+		opt_iter = 0;
-+		do {
-+			/* Fail, fatally, if we detect either loose or strict
-+			 * source routing options. */
-+			if (options[opt_iter] == 131 ||
-+			    options[opt_iter] == 137)
-+				goto fail;
-+			opt_iter += options[opt_iter + 1] + 2;
-+		} while (opt_iter < option_size);
- 	}
-+	return;
-+
-+fail:
-+	text[0] = '\0';
-+	for (i = 0; i < option_size; i++)
-+		snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]);
-+	fatal("Connection from %.100s with IP options:%.800s", ipaddr, text);
- #endif /* IP_OPTIONS */
- }
- 

openssh-5.2p1-allow-ip-opts.patch

@@ -0,0 +1,37 @@
+diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
+--- openssh-5.2p1/canohost.c.ip-opts	2009-02-14 06:28:21.000000000 +0100
++++ openssh-5.2p1/canohost.c	2009-09-01 15:31:29.000000000 +0200
+@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr)
+ 	option_size = sizeof(options);
+ 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
+ 	    &option_size) >= 0 && option_size != 0) {
+-		text[0] = '\0';
+-		for (i = 0; i < option_size; i++)
+-			snprintf(text + i*3, sizeof(text) - i*3,
+-			    " %2.2x", options[i]);
+-		fatal("Connection from %.100s with IP options:%.800s",
+-		    ipaddr, text);
++		i = 0;
++		do {
++			switch (options[i]) {
++				case 0:
++				case 1:
++					++i;
++					break;
++				case 131:
++				case 137:
++				/* Fail, fatally, if we detect either loose or strict
++			 	 * source routing options. */
++					text[0] = '\0';
++					for (i = 0; i < option_size; i++)
++						snprintf(text + i*3, sizeof(text) - i*3,
++							" %2.2x", options[i]);
++					fatal("Connection from %.100s with IP options:%.800s",
++						ipaddr, text);
++				default:
++					i += options[i + 1];
++			}
++		} while (i < option_size);
+ 	}
+ #endif /* IP_OPTIONS */
+ }

openssh.spec

@@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.2p1
-Release: 22%{?dist}%{?rescue_rel}
+Release: 23%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -468,6 +468,9 @@ fi
 %endif
 
 %changelog
+* Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-23
+- add correct patch for ip-opts
+
 * Tue Sep  1 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-22
 - replace ip-opts patch by an upstream candidate version