openssh · manuelm · Nov 6, 2024 · Dec 4, 2024
diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh
@@ -28,8 +28,12 @@ Match Address 1.1.1.1,::1,!::3,2000::/16
 	ForceCommand match2
 Match LocalAddress 127.0.0.1,::1
 	ForceCommand match3
-Match LocalPort 5678
+Match LocalAddress !2.2.2.?,!::2:2:2:?,2.2.*,::2:2:*
 	ForceCommand match4
+Match LocalPort 5678
+	ForceCommand portmatch1
+Match LocalPort !5679,567?
+	ForceCommand portmatch2
 EOD
 
 run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry"
@@ -39,7 +43,13 @@ run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle"
 run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname"
 run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address"
 run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress"
-run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport"
+run_trial user 19.0.0.1 somehost 2.2.3.3 1234 match4 "wildcard localaddress"
+run_trial user 19.0.0.1 somehost 2.2.2.2 1234 nomatch "negative wildcard localaddress"
+run_trial user 19.0.0.1 somehost 2.2.2.20 1234 match4 "one char wildcard localaddress"
+run_trial user 19.0.0.1 somehost 1.2.3.4 5678 portmatch1 "localport"
+run_trial user 19.0.0.1 somehost 1.2.3.4 5671 portmatch2 "one char wildcard localport"
+run_trial user 19.0.0.1 somehost 1.2.3.4 56710 nomatch "no match wildcard localport"
+run_trial user 19.0.0.1 somehost 1.2.3.4 5679 nomatch "negative wildcard localport"
 
 if test "$TEST_SSH_IPV6" != "no"; then
 run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address"
@@ -49,7 +59,13 @@ run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match"
 run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network"
 run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network"
 run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress"
-run_trial user ::5 somehost ::2 5678 match4 "IP6 localport"
+run_trial user ::6 somehost ::2:2:3:3 1234 match4 "IP6 wildcard localaddress"
+run_trial user ::6 somehost ::2:2:2:2 1234 nomatch "IP6 negative wildcard localaddress"
+run_trial user ::6 somehost ::2:2:2:20 1234 match4 "IP6 one char wildcard localaddress"
+run_trial user ::5 somehost ::2 5678 portmatch1 "IP6 localport"
+run_trial user ::5 somehost ::2 5671 portmatch2 "IP6 wildcard localport"
+run_trial user ::5 somehost ::2 56710 nomatch "IP6 no match wildcard localport"
+run_trial user ::5 somehost ::2 5679 nomatch "IP6 negative wildcard localport"
 fi
 
 #

diff --git a/servconf.c b/servconf.c
@@ -1036,8 +1036,9 @@ static int
 match_cfg_line(const char *full_line, int *acp, char ***avp,
     int line, struct connection_info *ci)
 {
-	int result = 1, attributes = 0, port;
+	int result = 1, attributes = 0;
 	char *arg, *attrib = NULL, *oattrib;
+	char portstr[NI_MAXSERV];
 
 	if (ci == NULL)
 		debug3("checking syntax for 'Match %s'", full_line);
@@ -1194,25 +1195,19 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				goto out;
 			}
 		} else if (strcasecmp(attrib, "localport") == 0) {
-			if ((port = a2port(arg)) == -1) {
-				error("Invalid LocalPort '%s' on Match line",
-				    arg);
-				result = -1;
-				goto out;
-			}
 			if (ci == NULL || (ci->test && ci->lport == -1)) {
 				result = 0;
 				continue;
 			}
 			if (ci->lport == 0)
 				match_test_missing_fatal("LocalPort", "lport");
-			/* TODO support port lists */
-			if (port == ci->lport)
-				debug("connection from %.100s matched "
-				    "'LocalPort %d' at line %d",
-				    ci->laddress, port, line);
-			else
+			snprintf(portstr, sizeof(portstr), "%d", ci->lport);
+			if (match_pattern_list(portstr, arg, 0) != 1)
 				result = 0;
+			else
+				debug("connection from %.100s matched "
+				    "'LocalPort %.100s' at line %d",
+				    ci->laddress, arg, line);
 		} else if (strcasecmp(attrib, "rdomain") == 0) {
 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
 				result = 0;