Hi, It's fine not to implement bundling in dropbear's option parsing function (svr-runopts.c's svr_getopts), but it should at least croak if argv[i][2] != '\0'. For instance
dropbear -rdropbear.key -p127.0.0.1:2222 -sjk should either fail, or be parsed as dropbear -r dropbear.key -p 127.0.0.1:2222 -s -j -k if bundling is allowed. This might have security implications, as the current parsing mechanism might make a user think that passing ‘-sjk’ disables port forwarding, which is not the case (the trailing ‘jk’ is ignored). Cheers, -- Guilhem.
signature.asc
Description: PGP signature