diff options
author | Matt Johnston <matt@ucc.asn.au> | 2022-01-30 10:14:56 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2022-01-30 10:14:56 +0800 |
commit | deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch) | |
tree | c7199ab70fad3d27994e165c46b797f27c50d885 /sysoptions.h | |
parent | 0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff) | |
download | dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz |
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
Diffstat (limited to 'sysoptions.h')
-rw-r--r-- | sysoptions.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sysoptions.h b/sysoptions.h index 10c485b..8bd3f3f 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -29,6 +29,9 @@ #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." #endif +/* Would probably work on freebsd but hasn't been tested */ +#define DROPBEAR_DO_REEXEC (defined(HAVE_FEXECVE) && DROPBEAR_REEXEC && defined(__linux__)) + /* A client should try and send an initial key exchange packet guessing * the algorithm that will match - saves a round trip connecting, has little * overhead if the guess was "wrong". */ |