Re: [PATCH] Ncat --broker & --ssl disconnects broken

[David Fifield <david () bamsoftware com>]

On Tue, Jun 30, 2009 at 05:50:20PM -0500, Kris Katterjohn wrote:
> While messing around with the second patch for the ncat --send-only behavior,
> I stumbled upon a bug in Ncat's broker mode when using SSL.
>
> Basically, there are no checks against the return value of SSL_read happening
> in broker mode, so when EOF and error conditions occur, things mess up.  I
> don't have time to track down the exact codepath of what happens where after
> this occurs, but it's obvious it's bad (it appears to be some sort of infinite
> loop--maybe select() keeps returning for the underlying socket but nothing
> happens?)
>
> The checks exist in the same function as SSL_read; however, they're in the
> wrong spot so it's just dead code now.  There's a block of code that handles
> what should happen for these conditions on both regular sockets and SSL
> sockets, but they only run if this happens on a regular socket.
>
> I've attached a patch to move these checks to the right place.  All seems well
> in my brief testing (and it's a very simple patch).  Note that these changes
> are in the same spot as some changes in my --send-only patch so they probably
> won't apply cleanly together unfortunately.

Thanks for the report and the good diagnosis. I fixed the problem in a
different way in r14164, moving the SSL_read to the same place as the
normal socket read.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org