1 files changed, 42 insertions, 0 deletions

diff --git a/openssh-6.6p1-allow-ip-opts.patch b/openssh-6.6p1-allow-ip-opts.patch
new file mode 100644
index 0000000..be8d340
--- /dev/null
+++ b/openssh-6.6p1-allow-ip-opts.patch
@@ -0,0 +1,42 @@
+diff -up openssh/sshd.c.ip-opts openssh/sshd.c
+--- openssh/sshd.c.ip-opts	2016-07-25 13:58:48.998507834 +0200
++++ openssh/sshd.c	2016-07-25 14:01:28.346469878 +0200
+@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh)
+ 
+ 	if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
+ 	    &option_size) >= 0 && option_size != 0) {
+-		text[0] = '\0';
+-		for (i = 0; i < option_size; i++)
+-			snprintf(text + i*3, sizeof(text) - i*3,
+-			    " %2.2x", opts[i]);
+-		fatal("Connection from %.100s port %d with IP opts: %.800s",
+-		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
++		i = 0;
++		do {
++			switch (opts[i]) {
++				case 0:
++				case 1:
++					++i;
++					break;
++				case 130:
++				case 133:
++				case 134:
++					if (i + 1 < option_size && opts[i + 1] >= 2) {
++						i += opts[i + 1];
++						break;
++					}
++					/* FALLTHROUGH */
++				default:
++				/* Fail, fatally, if we detect either loose or strict
++			 	 * or incorrect source routing options. */
++					text[0] = '\0';
++					for (i = 0; i < option_size; i++)
++						snprintf(text + i*3, sizeof(text) - i*3,
++							" %2.2x", opts[i]);
++					fatal("Connection from %.100s port %d with IP options:%.800s",
++						ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
++			}
++		} while (i < option_size);
+ 	}
+ 	return;
+ #endif /* IP_OPTIONS */