sftp: disallow creation (of empty files) in read-only mode

Direct commit to stable/11; already fixed in newer OpenSSH in 12 and
later.

PR:		233801
Reported by:	Dani
Obtained from:	OpenBSD 1.111
Security:	CVE-2017-15906

1 files changed, 2 insertions, 2 deletions

diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c
index 3619cdfc0ffe..a447ccc627c6 100644
--- a/crypto/openssh/sftp-server.c
+++ b/crypto/openssh/sftp-server.c
@@ -691,8 +691,8 @@ process_open(u_int32_t id)
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-	    ((flags & O_ACCMODE) == O_WRONLY ||
-	    (flags & O_ACCMODE) == O_RDWR)) {
+	    ((flags & O_ACCMODE) != O_RDONLY ||
+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
 		verbose("Refusing open request in read-only mode");
 		status = SSH2_FX_PERMISSION_DENIED;
 	} else {