Add re-exec for server

This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
author: Matt Johnston <matt@ucc.asn.au> 2022-01-30 10:14:56 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2022-01-30 10:14:56 +0800
commit: deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch)
tree: c7199ab70fad3d27994e165c46b797f27c50d885 /sysoptions.h
parent: 0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff)
download: dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/sysoptions.h b/sysoptions.h
index 10c485b..8bd3f3f 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -29,6 +29,9 @@
 	#error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
 #endif
 
+/* Would probably work on freebsd but hasn't been tested */
+#define DROPBEAR_DO_REEXEC (defined(HAVE_FEXECVE) && DROPBEAR_REEXEC && defined(__linux__))
+
 /* A client should try and send an initial key exchange packet guessing
  * the algorithm that will match - saves a round trip connecting, has little
  * overhead if the guess was "wrong". */
author	Matt Johnston <matt@ucc.asn.au>	2022-01-30 10:14:56 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2022-01-30 10:14:56 +0800
commit	deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch)
tree	c7199ab70fad3d27994e165c46b797f27c50d885 /sysoptions.h
parent	0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff)
download	dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz