From 4f4592539d61764397257438d6914137498cbf70 Mon Sep 17 00:00:00 2001 From: zwelch Date: Sat, 13 Jun 2009 08:38:57 +0000 Subject: [PATCH] David Brownell : OpenOCD doesn't actually *need* to be keeping all TCP ports active ... creating security issues in some network configs. Instead, let config file specify e.g. "tcl_port 0" (or gdb_port, telnet_port) to disable that particular remote access method. git-svn-id: svn://svn.berlios.de/openocd/trunk@2240 b42882b7-edfa-0310-969c-e2dbd0fdcd60 --- doc/openocd.texi | 10 ++++++++++ src/server/gdb_server.c | 6 +++--- src/server/tcl_server.c | 6 +++--- src/server/telnet_server.c | 6 +++--- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/doc/openocd.texi b/doc/openocd.texi index f6783902d..d5f78b323 100644 --- a/doc/openocd.texi +++ b/doc/openocd.texi @@ -1422,10 +1422,17 @@ the memory read/write commands. This includes @command{nand probe}. @cindex TCP port @cindex server @cindex port +@cindex security The OpenOCD server accepts remote commands in several syntaxes. Each syntax uses a different TCP/IP port, which you may specify only during configuration (before those ports are opened). +For reasons including security, you may wish to prevent remote +access using one or more of these ports. +In such cases, just specify the relevant port number as zero. +If you disable all access through TCP/IP, you will need to +use the command line @option{-pipe} option. + @deffn {Command} gdb_port (number) @cindex GDB server Specify or query the first port used for incoming GDB connections. @@ -1433,6 +1440,7 @@ The GDB port for the first target will be gdb_port, the second target will listen on gdb_port + 1, and so on. When not specified during the configuration stage, the port @var{number} defaults to 3333. +When specified as zero, this port is not activated. @end deffn @deffn {Command} tcl_port (number) @@ -1442,6 +1450,7 @@ output from the Tcl engine. Intended as a machine interface. When not specified during the configuration stage, the port @var{number} defaults to 6666. +When specified as zero, this port is not activated. @end deffn @deffn {Command} telnet_port (number) @@ -1450,6 +1459,7 @@ port on which to listen for incoming telnet connections. This port is intended for interaction with one human through TCL commands. When not specified during the configuration stage, the port @var{number} defaults to 4444. +When specified as zero, this port is not activated. @end deffn @anchor{GDB Configuration} diff --git a/src/server/gdb_server.c b/src/server/gdb_server.c index d5c3f3510..88c9ec88b 100644 --- a/src/server/gdb_server.c +++ b/src/server/gdb_server.c @@ -44,7 +44,7 @@ static int gdb_breakpoint_override; static enum breakpoint_type gdb_breakpoint_override_type; extern int gdb_error(connection_t *connection, int retval); -static unsigned short gdb_port; +static unsigned short gdb_port = 3333; static const char *DIGITS = "0123456789abcdef"; static void gdb_log_callback(void *priv, const char *file, int line, @@ -2198,8 +2198,8 @@ int gdb_init(void) if (gdb_port == 0 && server_use_pipes == 0) { - LOG_DEBUG("no gdb port specified, using default port 3333"); - gdb_port = 3333; + LOG_INFO("gdb port disabled"); + return ERROR_OK; } if (server_use_pipes) diff --git a/src/server/tcl_server.c b/src/server/tcl_server.c index e146b04f9..f37d4975a 100644 --- a/src/server/tcl_server.c +++ b/src/server/tcl_server.c @@ -34,7 +34,7 @@ typedef struct tcl_connection_s { int tc_outerror; /* flag an output error */ } tcl_connection_t; -static unsigned short tcl_port = 0; +static unsigned short tcl_port = 6666; /* commands */ static int handle_tcl_port_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc); @@ -165,8 +165,8 @@ int tcl_init(void) if (tcl_port == 0) { - LOG_DEBUG("no tcl port specified, using default port 6666"); - tcl_port = 6666; + LOG_INFO("tcl port disabled"); + return ERROR_OK; } retval = add_service("tcl", CONNECTION_TCP, tcl_port, 1, tcl_new_connection, tcl_input, tcl_closed, NULL); diff --git a/src/server/telnet_server.c b/src/server/telnet_server.c index 94a266246..cf74344fd 100644 --- a/src/server/telnet_server.c +++ b/src/server/telnet_server.c @@ -30,7 +30,7 @@ #include "telnet_server.h" #include "target_request.h" -static unsigned short telnet_port = 0; +static unsigned short telnet_port = 4444; int handle_exit_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc); int handle_telnet_port_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc); @@ -596,8 +596,8 @@ int telnet_init(char *banner) if (telnet_port == 0) { - LOG_DEBUG("no telnet port specified, using default port 4444"); - telnet_port = 4444; + LOG_INFO("telnet port disabled"); + return ERROR_OK; } telnet_service->banner = banner; -- 2.30.2