Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[PATCH] Ncat --broker & --ssl disconnects broken
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 30 Jun 2009 17:50:20 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

While messing around with the second patch for the ncat --send-only behavior,
I stumbled upon a bug in Ncat's broker mode when using SSL.

Basically, there are no checks against the return value of SSL_read happening
in broker mode, so when EOF and error conditions occur, things mess up.  I
don't have time to track down the exact codepath of what happens where after
this occurs, but it's obvious it's bad (it appears to be some sort of infinite
loop--maybe select() keeps returning for the underlying socket but nothing
happens?)

The checks exist in the same function as SSL_read; however, they're in the
wrong spot so it's just dead code now.  There's a block of code that handles
what should happen for these conditions on both regular sockets and SSL
sockets, but they only run if this happens on a regular socket.

I've attached a patch to move these checks to the right place.  All seems well
in my brief testing (and it's a very simple patch).  Note that these changes
are in the same spot as some changes in my --send-only patch so they probably
won't apply cleanly together unfortunately.

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKSpasAAoJEEQxgFs5kUfuDF8P/3trDTzp0GYwLRzlrwtUkdPb
KN577htmehV0odfRKa3gEUwHOK7+yMlXVSuncYivncJwgeW2GusXMw7yUpSA+13C
ZCh3cOhH93a9iGKqn7Pw9fL8qC5IPNfjHAUQJOHEpNmNKxpQDkyjJYhV5qIEmmdg
gvXogmVeLCtXz1sw1qeIwuMr4tqAMCR/rV2xOwkH14RjemExzuYehxIdHHOVUTe2
OyYCd0wpDMBJKfvh9mIlqJN/1AhNpYLOuqruhqu4jrMAl+JTXI4dPAuViZnj3L9M
DUbH8IQ1u2skBesJlAVsgzSMcvCWFLxSBGkL4lbWl7RFHUOxFEzim4mJ29WQzE09
7tiDswt6og3nwoBDDcnjc/UusAnVMLEXJtmIxO3e9m9n7oM6BVD5bVdUbuvfnj4u
HPiObwpDEWx9AJwlwIqAH1hBA9JnVP4IH5E6xrRhtZ1inF2yT7xTWFDYhXIJkbjN
X15H1mb59ew//A1XHdwTySvdJ8wfcBjaPrmaFz4b2EhKncb2skn+Vi9OxdMhna23
yHYWTn8h1N+RU+zO+fJUU0fsQ89TP8X2xQ1uibviYHoso7Czo1XxAVP6jthmtmIm
MMYXeBccTp4nmV2STunNt+vaUcOC+KH+fy2G+nclx9rmibkPmv+sAmP1Zr3MZXN3
YHu3eIyphTOAs2WgDsKK
=SQ6u
-----END PGP SIGNATURE-----
Index: ncat_broker.c
===================================================================
--- ncat_broker.c       (revision 13984)
+++ ncat_broker.c       (working copy)
@@ -330,36 +330,37 @@
         /* From a connected socket, not stdin. */
         nbytes = recv(recv_fd, buf, sizeof(buf), 0);
 
-        if (nbytes <= 0) {
-            if (o.debug)
-                logdebug("Closing connection.\n");
+        /* If we received from something other than stdin, and --send-only was
+           given, do no further processing. */
+        if (nbytes > 0 && o.sendonly)
+            return;
+    }
 
+    /* Handle EOF or error from network */
+    if (nbytes <= 0) {
+        if (o.debug)
+            logdebug("Closing connection.\n");
+
 #ifdef HAVE_OPENSSL
-            if (o.ssl && fdn->ssl) {
-                if (nbytes == 0)
-                    SSL_shutdown(fdn->ssl);
-                SSL_free(fdn->ssl);
-            }
+        if (o.ssl && fdn->ssl) {
+            if (nbytes == 0)
+                SSL_shutdown(fdn->ssl);
+            SSL_free(fdn->ssl);
+        }
 #endif
 
-            close(recv_fd);
-            FD_CLR(recv_fd, &master);
-            rm_fd(&fdlist, recv_fd);
+        close(recv_fd);
+        FD_CLR(recv_fd, &master);
+        rm_fd(&fdlist, recv_fd);
 
-            conn_count--;
-            if (conn_count == 0)
-                FD_CLR(STDIN_FILENO, &master);
+        conn_count--;
+        if (conn_count == 0)
+            FD_CLR(STDIN_FILENO, &master);
 
-            if (o.chat)
-                chat_announce_disconnect(recv_fd);
+        if (o.chat)
+            chat_announce_disconnect(recv_fd);
 
-            return;
-        }
-
-        /* If we received from something other than stdin, and --send-only was
-           given, do no further processing. */
-        if (o.sendonly)
-            return;
+        return;
     }
 
     if (o.debug > 1)

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
  • [PATCH] Ncat --broker & --ssl disconnects broken Kris Katterjohn (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault