From 91dc9dedda5239d7a1df4f2ceb89031105b9d0f4 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 18 Mar 2022 04:04:11 +0000
Subject: [PATCH] don't try to resolve ListenAddress directives in the sshd
 re-exec path - we're never going to use the result and if the operation fails
 then it can prevent connections from being accepted. Reported by Aaron
 Poffenberger; with / ok dtucker@

---
 usr.bin/ssh/servconf.c | 9 +++++----
 usr.bin/ssh/servconf.h | 4 ++--
 usr.bin/ssh/sshd.c     | 4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 63a7303de65..f681c2fcda4 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.383 2022/02/08 08:59:12 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.384 2022/03/18 04:04:11 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -2459,7 +2459,7 @@ parse_server_match_config(ServerOptions *options,
 
 	initialize_server_options(&mo);
 	parse_server_config(&mo, "reprocess config", cfg, includes,
-	    connectinfo);
+	    connectinfo, 0);
 	copy_set_server_options(options, &mo, 0);
 }
 
@@ -2637,12 +2637,13 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
 void
 parse_server_config(ServerOptions *options, const char *filename,
     struct sshbuf *conf, struct include_list *includes,
-    struct connection_info *connectinfo)
+    struct connection_info *connectinfo, int reexec)
 {
 	int active = connectinfo ? 0 : 1;
 	parse_server_config_depth(options, filename, conf, includes,
 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
-	process_queued_listen_addrs(options);
+	if (!reexec)
+		process_queued_listen_addrs(options);
 }
 
 static const char *
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 1197c57f75c..115db1e79df 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.156 2022/03/18 04:04:11 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -295,7 +295,7 @@ int	 process_server_config_line(ServerOptions *, char *, const char *, int,
 void	 process_permitopen(struct ssh *ssh, ServerOptions *options);
 void	 load_server_config(const char *, struct sshbuf *);
 void	 parse_server_config(ServerOptions *, const char *, struct sshbuf *,
-	    struct include_list *includes, struct connection_info *);
+	    struct include_list *includes, struct connection_info *, int);
 void	 parse_server_match_config(ServerOptions *,
 	    struct include_list *includes, struct connection_info *);
 int	 parse_server_match_testspec(struct connection_info *, char *);
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 6d8bc2aca5d..7a143d9613f 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.584 2022/03/01 01:59:19 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.585 2022/03/18 04:04:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1638,7 +1638,7 @@ main(int ac, char **av)
 		load_server_config(config_file_name, cfg);
 
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
-	    cfg, &includes, NULL);
+	    cfg, &includes, NULL, rexeced_flag);
 
 #ifdef WITH_OPENSSL
 	if (options.moduli_file != NULL)
-- 
2.20.1