Nmap Development mailing list archives
[PATCH] Ncat --broker & --ssl disconnects broken
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 30 Jun 2009 17:50:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone, While messing around with the second patch for the ncat --send-only behavior, I stumbled upon a bug in Ncat's broker mode when using SSL. Basically, there are no checks against the return value of SSL_read happening in broker mode, so when EOF and error conditions occur, things mess up. I don't have time to track down the exact codepath of what happens where after this occurs, but it's obvious it's bad (it appears to be some sort of infinite loop--maybe select() keeps returning for the underlying socket but nothing happens?) The checks exist in the same function as SSL_read; however, they're in the wrong spot so it's just dead code now. There's a block of code that handles what should happen for these conditions on both regular sockets and SSL sockets, but they only run if this happens on a regular socket. I've attached a patch to move these checks to the right place. All seems well in my brief testing (and it's a very simple patch). Note that these changes are in the same spot as some changes in my --send-only patch so they probably won't apply cleanly together unfortunately. Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJKSpasAAoJEEQxgFs5kUfuDF8P/3trDTzp0GYwLRzlrwtUkdPb KN577htmehV0odfRKa3gEUwHOK7+yMlXVSuncYivncJwgeW2GusXMw7yUpSA+13C ZCh3cOhH93a9iGKqn7Pw9fL8qC5IPNfjHAUQJOHEpNmNKxpQDkyjJYhV5qIEmmdg gvXogmVeLCtXz1sw1qeIwuMr4tqAMCR/rV2xOwkH14RjemExzuYehxIdHHOVUTe2 OyYCd0wpDMBJKfvh9mIlqJN/1AhNpYLOuqruhqu4jrMAl+JTXI4dPAuViZnj3L9M DUbH8IQ1u2skBesJlAVsgzSMcvCWFLxSBGkL4lbWl7RFHUOxFEzim4mJ29WQzE09 7tiDswt6og3nwoBDDcnjc/UusAnVMLEXJtmIxO3e9m9n7oM6BVD5bVdUbuvfnj4u HPiObwpDEWx9AJwlwIqAH1hBA9JnVP4IH5E6xrRhtZ1inF2yT7xTWFDYhXIJkbjN X15H1mb59ew//A1XHdwTySvdJ8wfcBjaPrmaFz4b2EhKncb2skn+Vi9OxdMhna23 yHYWTn8h1N+RU+zO+fJUU0fsQ89TP8X2xQ1uibviYHoso7Czo1XxAVP6jthmtmIm MMYXeBccTp4nmV2STunNt+vaUcOC+KH+fy2G+nclx9rmibkPmv+sAmP1Zr3MZXN3 YHu3eIyphTOAs2WgDsKK =SQ6u -----END PGP SIGNATURE-----
Index: ncat_broker.c =================================================================== --- ncat_broker.c (revision 13984) +++ ncat_broker.c (working copy) @@ -330,36 +330,37 @@ /* From a connected socket, not stdin. */ nbytes = recv(recv_fd, buf, sizeof(buf), 0); - if (nbytes <= 0) { - if (o.debug) - logdebug("Closing connection.\n"); + /* If we received from something other than stdin, and --send-only was + given, do no further processing. */ + if (nbytes > 0 && o.sendonly) + return; + } + /* Handle EOF or error from network */ + if (nbytes <= 0) { + if (o.debug) + logdebug("Closing connection.\n"); + #ifdef HAVE_OPENSSL - if (o.ssl && fdn->ssl) { - if (nbytes == 0) - SSL_shutdown(fdn->ssl); - SSL_free(fdn->ssl); - } + if (o.ssl && fdn->ssl) { + if (nbytes == 0) + SSL_shutdown(fdn->ssl); + SSL_free(fdn->ssl); + } #endif - close(recv_fd); - FD_CLR(recv_fd, &master); - rm_fd(&fdlist, recv_fd); + close(recv_fd); + FD_CLR(recv_fd, &master); + rm_fd(&fdlist, recv_fd); - conn_count--; - if (conn_count == 0) - FD_CLR(STDIN_FILENO, &master); + conn_count--; + if (conn_count == 0) + FD_CLR(STDIN_FILENO, &master); - if (o.chat) - chat_announce_disconnect(recv_fd); + if (o.chat) + chat_announce_disconnect(recv_fd); - return; - } - - /* If we received from something other than stdin, and --send-only was - given, do no further processing. */ - if (o.sendonly) - return; + return; } if (o.debug > 1)
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Ncat --broker & --ssl disconnects broken Kris Katterjohn (Jun 30)