From: djm@openbsd.org <djm@openbsd.org>
Date: Tue, 24 Jun 2025 09:22:03 +0000 (+0000)
Subject: upstream: make "Match !final" not trigger a 2nd pass ssh_config
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=688fa02728f2efbf18388bc1a8e94e7ba7ee4f11;p=thirdparty%2Fopenssh-portable.git

upstream: make "Match !final" not trigger a 2nd pass ssh_config

parsing pass (unless hostname canonicalisation or a separate "Match final"
does). bz3843

ok dtucker@

OpenBSD-Commit-ID: ce82b6034828888f0f3f1c812e08f5e87400d802
---

diff --git a/readconf.c b/readconf.c
index a56cbe0da..97f34abff 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.399 2025/05/06 05:40:56 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.400 2025/06/24 09:22:03 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -768,12 +768,13 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 		if (strcasecmp(attrib, "canonical") == 0 ||
 		    strcasecmp(attrib, "final") == 0) {
 			/*
-			 * If the config requests "Match final" then remember
-			 * this so we can perform a second pass later.
+			 * If the config requests "Match final" without
+			 * negation then remember this so we can perform a
+			 * second pass later.
 			 */
 			if (strcasecmp(attrib, "final") == 0 &&
 			    want_final_pass != NULL)
-				*want_final_pass = 1;
+				*want_final_pass |= !negate;
 			r = !!final_pass;  /* force bitmask member to boolean */
 			if (r == (negate ? 1 : 0))
 				this_result = result = 0;