 @@ -1,14 +1,14 @@
-/*	$NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $	*/
+/*	$NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $	*/
 /* $OpenBSD: channels.c,v 1.341 2015/02/06 23:21:59 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
  * This file contains functions for generic socket connection forwarding.
  * There is also code for initiating connection forwarding for X11 connections,
  * arbitrary tcp/ip connections, and the authentication agent connection.
+ *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
  * software must be clearly marked as such, and if the derived work is
  * incompatible with the protocol description in the RFC file, it must be
 @@ -31,27 +31,27 @@
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.11.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: channels.c,v 1.11.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/param.h>	/* MIN MAX */
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <sys/un.h>
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/queue.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 @@ -153,26 +153,29 @@ static int all_opens_permitted = 0;
 /* Maximum number of fake X11 displays to try. */
 #define MAX_DISPLAYS  1000
 /* Saved X11 local (client) display. */
 static char *x11_saved_display = NULL;
 /* Saved X11 authentication protocol name. */
 static char *x11_saved_proto = NULL;
 /* Saved X11 authentication data.  This is the real data. */
 static char *x11_saved_data = NULL;
 static u_int x11_saved_data_len = 0;
 /* Deadline after which all X11 connections are refused */
 static u_int x11_refuse_time;
 /*
  * Fake X11 authentication data.  This is what the server will be sending us;
  * we should replace any occurrences of this by the real data.
  */
 static u_char *x11_fake_data = NULL;
 static u_int x11_fake_data_len;
 /* -- agent forwarding */
 #define	NUM_SOCKS	10
 /* AF_UNSPEC or AF_INET or AF_INET6 */
 @@ -928,26 +931,33 @@ channel_pre_output_draining(Channel *c,
  * connection (when authentication spoofing is being done) remains in this
  * state until the first packet has been completely read.  The authentication
  * data in that packet is then substituted by the real data if it matches the
  * fake data, and the channel is put into normal mode.
  * XXX All this happens at the client side.
  * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
  */
 static int
 x11_open_helper(Buffer *b)
+{
 	u_char *ucp;
 	u_int proto_len, data_len;
 	/* Is this being called after the refusal deadline? */
 	if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
 		verbose("Rejected X11 connection after ForwardX11Timeout "
 		    "expired");
 		return -1;
+	}
 	/* Check if the fixed size part of the packet is in buffer. */
 	if (buffer_len(b) < 12)
 		return 0;
 	/* Parse the lengths of variable-length fields. */
 	ucp = buffer_ptr(b);
 	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
 		proto_len = 256 * ucp[6] + ucp[7];
 		data_len = 256 * ucp[8] + ucp[9];
 	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
 		proto_len = ucp[6] + 256 * ucp[7];
 		data_len = ucp[8] + 256 * ucp[9];
 	} else {
 @@ -1499,26 +1509,32 @@ port_open_helper(Channel *c, const char
 static void
 channel_set_reuseaddr(int fd)
+{
 	int on = 1;
 	/*
 	 * Set socket options.
 	 * Allow local port reuse in TIME_WAIT.
 	 */
 	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
 		error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+}
 void
 channel_set_x11_refuse_time(u_int refuse_time)
+{
 	x11_refuse_time = refuse_time;
+}
 /*
  * This socket is listening for connections to a forwarded TCP/IP port.
  */
 /* ARGSUSED */
 static void
 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
+{
 	Channel *nc;
 	struct sockaddr_storage addr;
 	int newsock, nextstate;
 	socklen_t addrlen;
 	const char *rtype;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: channels.h,v 1.8.4.1 2015/04/30 06:07:30 riz Exp $	*/
+/*	$NetBSD: channels.h,v 1.8.4.1.2.1 2016/03/11 12:23:58 martin Exp $	*/
 /* $OpenBSD: channels.h,v 1.116 2015/01/19 20:07:45 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
+ *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
  * software must be clearly marked as such, and if the derived work is
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
  */
 @@ -277,26 +277,27 @@ Channel	*channel_connect_stdio_fwd(const
 Channel	*channel_connect_by_listen_address(const char *, u_short,
 	     const char *, char *);
 Channel	*channel_connect_by_listen_path(const char *, const char *, const char *);
 int	 channel_request_remote_forwarding(struct Forward *);
 int	 channel_setup_local_fwd_listener(struct Forward *, struct ForwardOptions *);
 int	 channel_request_rforward_cancel(struct Forward *);
 int	 channel_setup_remote_fwd_listener(struct Forward *, int *, struct ForwardOptions *);
 int	 channel_cancel_rport_listener(struct Forward *);
 int	 channel_cancel_lport_listener(struct Forward *, int, struct ForwardOptions *);
 int	 permitopen_port(const char *);
 /* x11 forwarding */
 void	 channel_set_x11_refuse_time(u_int);
 int	 x11_connect_display(void);
 int	 x11_create_display_inet(int, int, int, u_int *, int **);
 int      x11_input_open(int, u_int32_t, void *);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *,
 	     const char *, int);
 int	 deny_input_open(int, u_int32_t, void *);
 /* agent forwarding */
 void	 auth_request_forwarding(void);
 /* channel close */

 @@ -1,14 +1,14 @@
-/*	$NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $	*/
+/*	$NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $	*/
 /* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
  * The main loop for the interactive session (client side).
+ *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
  * software must be clearly marked as such, and if the derived work is
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
+ *
 @@ -51,27 +51,27 @@
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-__RCSID("$NetBSD: clientloop.c,v 1.10.4.1 2015/04/30 06:07:30 riz Exp $");
+__RCSID("$NetBSD: clientloop.c,v 1.10.4.1.2.1 2016/03/11 12:23:58 martin Exp $");
 #include <sys/param.h>	/* MIN MAX */
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/queue.h>
 #include <ctype.h>
 #include <errno.h>
 #include <paths.h>
 #include <signal.h>
 @@ -149,27 +149,27 @@ volatile sig_atomic_t quit_pending; /* S
 static int escape_char1;	/* Escape character. (proto1 only) */
 static int escape_pending1;	/* Last character was an escape (proto1 only) */
 static int last_was_cr;		/* Last character was a newline. */
 static int exit_status;		/* Used to store the command exit status. */
 static int stdin_eof;		/* EOF has been encountered on stderr. */
 static Buffer stdin_buffer;	/* Buffer for stdin data. */
 static Buffer stdout_buffer;	/* Buffer for stdout data. */
 static Buffer stderr_buffer;	/* Buffer for stderr data. */
 static u_int buffer_high;	/* Soft max buffer size. */
 static int connection_in;	/* Connection to server (input). */
 static int connection_out;	/* Connection to server (output). */
 static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
 static int session_closed;	/* In SSH2: login session closed. */
-static int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
+static u_int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
 static void client_init_dispatch(void);
 int	session_ident = -1;
 int	session_resumed = 0;
 /* Track escape per proto2 channel */
 struct escape_filter_ctx {
 	int escape_pending;
 	int escape_char;
 };
 /* Context for channel confirmation replies */
 @@ -284,40 +284,41 @@ client_x11_display_valid(const char *dis
 	size_t i, dlen;
 	dlen = strlen(display);
 	for (i = 0; i < dlen; i++) {
 		if (!isalnum((u_char)display[i]) &&
 		    strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
 			debug("Invalid character '%c' in DISPLAY", display[i]);
 			return 0;
+		}
+	}
 	return 1;
+}
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
 #define X11_TIMEOUT_SLACK	60
 void
 client_x11_get_proto(const char *display, const char *xauth_path,
     u_int trusted, u_int timeout, char **_proto, char **_data)
+{
 	char cmd[1024];
 	char line[512];
 	char xdisplay[512];
 	static char proto[512], data[512];
 	FILE *f;
 	int got_data = 0, generated = 0, do_unlink = 0, i;
 	char *xauthdir, *xauthfile;
 	struct stat st;
-	u_int now;
+	u_int now, x11_timeout_real;
 	xauthdir = xauthfile = NULL;
 	*_proto = proto;
 	*_data = data;
 	proto[0] = data[0] = '\0';
 	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
 		debug("No xauth program.");
 	} else if (!client_x11_display_valid(display)) {
 		logit("DISPLAY '%s' invalid, falling back to fake xauth data",
 		    display);
 	} else {
 		if (display == NULL) {
 @@ -330,44 +331,56 @@ client_x11_get_proto(const char *display
 		 * just try "xauth list unix:displaynum.screennum".
 		 * XXX: "localhost" match to determine FamilyLocal
 		 *      is not perfect.
 		 */
 		if (strncmp(display, "localhost:", 10) == 0) {
 			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
 			    display + 10);
 			display = xdisplay;
+		}
 		if (trusted == 0) {
 			xauthdir = xmalloc(PATH_MAX);
 			xauthfile = xmalloc(PATH_MAX);
 			mktemp_proto(xauthdir, PATH_MAX);
 			/*
 			 * The authentication cookie should briefly outlive
 			 * ssh's willingness to forward X11 connections to
 			 * avoid nasty fail-open behaviour in the X server.
 			 */
 			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
 				x11_timeout_real = UINT_MAX;
 			else
 				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
 			if (mkdtemp(xauthdir) != NULL) {
 				do_unlink = 1;
 				snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
 				    xauthdir);
 				snprintf(cmd, sizeof(cmd),
 				    "%s -f %s generate %s " SSH_X11_PROTO
 				    " untrusted timeout %u 2>" _PATH_DEVNULL,
-				    xauth_path, xauthfile, display, timeout);
+				    xauth_path, xauthfile, display,
 				    x11_timeout_real);
 				debug2("x11_get_proto: %s", cmd);
 				if (system(cmd) == 0)
 					generated = 1;
 				if (x11_refuse_time == 0) {
 					now = monotime() + 1;
 					if (UINT_MAX - timeout < now)
 						x11_refuse_time = UINT_MAX;
 					else
 						x11_refuse_time = now + timeout;
 					channel_set_x11_refuse_time(
 					    x11_refuse_time);
+				}
 				if (system(cmd) == 0)
 					generated = 1;
+			}
+		}
 		/*
 		 * When in untrusted mode, we read the cookie only if it was
 		 * successfully generated as an untrusted one in the step
 		 * above.
 		 */
 		if (trusted || generated) {
 			snprintf(cmd, sizeof(cmd),
 			    "%s %s%s list %s 2>" _PATH_DEVNULL,
 			    xauth_path,
 			    generated ? "-f " : "" ,
 @@ -1876,27 +1889,27 @@ static Channel *
 client_request_x11(const char *request_type, int rchan)
+{
 	Channel *c = NULL;
 	char *originator;
 	u_short originator_port;
 	int sock;
 	if (!options.forward_x11) {
 		error("Warning: ssh server tried X11 forwarding.");
 		error("Warning: this is probably a break-in attempt by a "
 		    "malicious server.");
 		return NULL;
+	}
-	if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
+	if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
 		verbose("Rejected X11 connection after ForwardX11Timeout "
 		    "expired");
 		return NULL;
+	}
 	originator = packet_get_string(NULL);
 	if (datafellows & SSH_BUG_X11FWD) {
 		debug2("buggy server: x11 request w/o originator_port");
 		originator_port = 0;
 	} else {
 		originator_port = packet_get_int();
+	}
 	packet_check_eom();
 	/* XXX check permission */

 @@ -1,30 +1,30 @@
-/*	$NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $	*/
+/*	$NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $	*/
 /* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
  * Allocating a pseudo-terminal, and making it the controlling tty.
+ *
  * As far as I am concerned, the code I have written for this software
  * can be used freely for any purpose.  Any derived versions of this
  * software must be clearly marked as such, and if the derived work is
  * incompatible with the protocol description in the RFC file, it must be
  * called by a name other than "ssh" or "Secure Shell".
  */
 #include "includes.h"
-__RCSID("$NetBSD: sshpty.c,v 1.2.26.1 2015/04/30 06:07:31 riz Exp $");
+__RCSID("$NetBSD: sshpty.c,v 1.2.26.1.2.1 2016/03/11 12:23:58 martin Exp $");
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
 #include <paths.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <string.h>
 #include <termios.h>
 #include <unistd.h>
 @@ -135,27 +135,27 @@ pty_change_window_size(int ptyfd, u_int
+}
 void
 pty_setowner(struct passwd *pw, const char *tty)
+{
 	struct group *grp;
 	gid_t gid;
 	mode_t mode;
 	struct stat st;
 	/* Determine the group to make the owner of the tty. */
 	grp = getgrnam("tty");
 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
-	mode = (grp != NULL) ? 0622 : 0600;
+	mode = (grp != NULL) ? 0620 : 0600;
 	/*
 	 * Change owner and mode of the tty as required.
 	 * Warn but continue if filesystem is read-only and the uids match/
 	 * tty is owned by root.
 	 */
 	if (stat(tty, &st))
 		fatal("stat(%.100s) failed: %.100s", tty,
 		    strerror(errno));
 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
 		if (chown(tty, pw->pw_uid, gid) < 0) {
 			if (errno == EROFS &&