Check IP opts length

Resolves: rhbz#1960015

openssh-6.6p1-allow-ip-opts.patch

@@ -1,7 +1,7 @@
 diff -up openssh/sshd.c.ip-opts openssh/sshd.c
 --- openssh/sshd.c.ip-opts	2016-07-25 13:58:48.998507834 +0200
 +++ openssh/sshd.c	2016-07-25 14:01:28.346469878 +0200
-@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
+@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh)
  
  	if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
  	    &option_size) >= 0 && option_size != 0) {
@@ -21,11 +21,14 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
 +				case 130:
 +				case 133:
 +				case 134:
-+					i += opts[i + 1];
-+					break;
++					if (i + 1 < option_size && opts[i + 1] >= 2) {
++						i += opts[i + 1];
++						break;
++					}
++					/* FALLTHROUGH */
 +				default:
 +				/* Fail, fatally, if we detect either loose or strict
-+			 	 * source routing options. */
++			 	 * or incorrect source routing options. */
 +					text[0] = '\0';
 +					for (i = 0; i < option_size; i++)
 +						snprintf(text + i*3, sizeof(text) - i*3,

openssh.spec

@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 6
+%global openssh_rel 7
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 7
 
@@ -722,7 +722,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
-* Fri Oct 5 2022 Anthony Rabbito <hello@anthonyrabbito.com> - 9.0p1-6
+* Fri Oct 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-7
+- Check IP opts length (rhbz#1960015)
+
+* Wed Oct 5 2022 Anthony Rabbito <hello@anthonyrabbito.com> - 9.0p1-6
 - Add a socket unit to ssh-agent user unit (rhbz#2125576)
 
 * Thu Sep 29 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-5