David Brownell <david-b@pacbell.net>:

OpenOCD doesn't actually *need* to be keeping all TCP ports
active ... creating security issues in some network configs.

Instead, let config file specify e.g. "tcl_port 0" (or gdb_port,
telnet_port) to disable that particular remote access method.


git-svn-id: svn://svn.berlios.de/openocd/trunk@2240 b42882b7-edfa-0310-969c-e2dbd0fdcd60

doc/openocd.texi

@@ -1422,10 +1422,17 @@ the memory read/write commands.  This includes @command{nand probe}.
 @cindex TCP port
 @cindex server
 @cindex port
+@cindex security
 The OpenOCD server accepts remote commands in several syntaxes.
 Each syntax uses a different TCP/IP port, which you may specify
 only during configuration (before those ports are opened).
 
+For reasons including security, you may wish to prevent remote
+access using one or more of these ports.
+In such cases, just specify the relevant port number as zero.
+If you disable all access through TCP/IP, you will need to
+use the command line @option{-pipe} option.
+
 @deffn {Command} gdb_port (number)
 @cindex GDB server
 Specify or query the first port used for incoming GDB connections.
@@ -1433,6 +1440,7 @@ The GDB port for the
 first target will be gdb_port, the second target will listen on gdb_port + 1, and so on.
 When not specified during the configuration stage,
 the port @var{number} defaults to 3333.
+When specified as zero, this port is not activated.
 @end deffn
 
 @deffn {Command} tcl_port (number)
@@ -1442,6 +1450,7 @@ output from the Tcl engine.
 Intended as a machine interface.
 When not specified during the configuration stage,
 the port @var{number} defaults to 6666.
+When specified as zero, this port is not activated.
 @end deffn
 
 @deffn {Command} telnet_port (number)
@@ -1450,6 +1459,7 @@ port on which to listen for incoming telnet connections.
 This port is intended for interaction with one human through TCL commands.
 When not specified during the configuration stage,
 the port @var{number} defaults to 4444.
+When specified as zero, this port is not activated.
 @end deffn
 
 @anchor{GDB Configuration}

src/server/gdb_server.c

@@ -44,7 +44,7 @@ static int gdb_breakpoint_override;
 static enum breakpoint_type gdb_breakpoint_override_type;
 
 extern int gdb_error(connection_t *connection, int retval);
-static unsigned short gdb_port;
+static unsigned short gdb_port = 3333;
 static const char *DIGITS = "0123456789abcdef";
 
 static void gdb_log_callback(void *priv, const char *file, int line,
@@ -2198,8 +2198,8 @@ int gdb_init(void)
 
 	if (gdb_port == 0 && server_use_pipes == 0)
 	{
-		LOG_DEBUG("no gdb port specified, using default port 3333");
-		gdb_port = 3333;
+		LOG_INFO("gdb port disabled");
+		return ERROR_OK;
 	}
 
 	if (server_use_pipes)

src/server/tcl_server.c

@@ -34,7 +34,7 @@ typedef struct tcl_connection_s {
 	int tc_outerror; /* flag an output error */
 } tcl_connection_t;
 
-static unsigned short tcl_port = 0;
+static unsigned short tcl_port = 6666;
 
 /* commands */
 static int handle_tcl_port_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc);
@@ -165,8 +165,8 @@ int tcl_init(void)
 
 	if (tcl_port == 0)
 	{
-		LOG_DEBUG("no tcl port specified, using default port 6666");
-		tcl_port = 6666;
+		LOG_INFO("tcl port disabled");
+		return ERROR_OK;
 	}
 
 	retval = add_service("tcl", CONNECTION_TCP, tcl_port, 1, tcl_new_connection, tcl_input, tcl_closed, NULL);

src/server/telnet_server.c

@@ -30,7 +30,7 @@
 #include "telnet_server.h"
 #include "target_request.h"
 
-static unsigned short telnet_port = 0;
+static unsigned short telnet_port = 4444;
 
 int handle_exit_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc);
 int handle_telnet_port_command(struct command_context_s *cmd_ctx, char *cmd, char **args, int argc);
@@ -596,8 +596,8 @@ int telnet_init(char *banner)
 
 	if (telnet_port == 0)
 	{
-		LOG_DEBUG("no telnet port specified, using default port 4444");
-		telnet_port = 4444;
+		LOG_INFO("telnet port disabled");
+		return ERROR_OK;
 	}
 
 	telnet_service->banner = banner;