From 3a85986d3f277a68ff96095e452fdb6b93656cb6 Mon Sep 17 00:00:00 2001
From: djm <djm>
Date: Sat, 5 Nov 2005 04:13:24 +0000
Subject: [PATCH]    - dtucker@cvs.openbsd.org 2005/10/30 08:29:29     
 [canohost.c sshd.c]      Check for connections with IP options earlier and
 drop silently.  ok djm@

---
 ChangeLog  | 3 +++
 canohost.c | 6 ++----
 sshd.c     | 9 +++++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2a8a0bd3..95556c53 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,9 @@
    - djm@cvs.openbsd.org 2005/10/30 04:03:24
      [ssh.c]
      fix misleading debug message; ok dtucker@
+   - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
+     [canohost.c sshd.c]
+     Check for connections with IP options earlier and drop silently.  ok djm@
 
 20051102
  - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
diff --git a/canohost.c b/canohost.c
index 0c4d36ff..66867c10 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.45 2005/10/03 07:44:42 dtucker Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.46 2005/10/30 08:29:29 dtucker Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
@@ -158,9 +158,7 @@ check_ip_options(int sock, char *ipaddr)
 		for (i = 0; i < option_size; i++)
 			snprintf(text + i*3, sizeof(text) - i*3,
 			    " %2.2x", options[i]);
-		logit("Connection from %.100s with IP options:%.800s",
-		    ipaddr, text);
-		packet_disconnect("Connection from %.100s with IP options:%.800s",
+		fatal("Connection from %.100s with IP options:%.800s",
 		    ipaddr, text);
 	}
 #endif /* IP_OPTIONS */
diff --git a/sshd.c b/sshd.c
index c4d66e2f..4b5f89e2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.315 2005/09/21 23:37:11 djm Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -1651,7 +1651,12 @@ main(int ac, char **av)
 		debug("get_remote_port failed");
 		cleanup_exit(255);
 	}
-	remote_ip = get_remote_ipaddr();
+
+	/*
+	 * We use get_canonical_hostname with usedns = 0 instead of
+	 * get_remote_ipaddr here so IP options will be checked.
+	 */
+	remote_ip = get_canonical_hostname(0);
 
 #ifdef SSH_AUDIT_EVENTS
 	audit_connection_from(remote_ip, remote_port);
-- 
2.45.2