netcat (nc) dumps core

From: Csaba Simon <secsaba(at)yahoo.com>
Date: Fri Dec 20 2002 - 05:08:19 EST

>Submitter-Id: secsaba
>Originator: Simon Csaba Endre
>Organization: net
>Confidential: no
>Synopsis: netcat (nc) dumps core
>Severity: non-critical

System      : OpenBSD 3.2
Architecture: OpenBSD.i386
Machine     : i386

>Description:

     When specifying a port range 1-65535 as a command line argument the
     netcat (nc) program dumps core on system where the maximum memory is
     64Mb.
      
     The errors are:
     1) doesn't check the return value of calloc()
     2) allocate PORT_MAX (65535) bytes of memory chunks insteed of only 6
     bytes (the length of the string "65535" + 1 byte for the
     trailling'\0'.
     For a port range of 1-65535 the memory allocated will be 65535*65535
     bytes!!!

>How-To-Repeat:

     nc -z localhost 1-65535

>Fix:

  Apply the above patch:

• netcat.c Fri Dec 20 10:22:46 2002 +++ netcat.c.old Fri Dec 20 09:51:16 2002 @@ -655,9 +655,8 @@

 /* Load ports sequentially */

    for (cp = lo; cp <= hi; cp++) {

-      if ((portlist[x] = calloc(1, 6)) == NULL)
-          errx (1, "not enough memory");
-      snprintf(portlist[x], 6, "%d", cp);
+      portlist[x] = calloc(1, PORT_MAX);
+      snprintf(portlist[x], PORT_MAX, "%d", cp);
       x++;

    }  

@@ -677,9 +676,8 @@

    hi = (int)strtoul(p, &endp, 10);
    if (hi <= 0 || hi > PORT_MAX || *endp != '\0')

        errx(1, "port range not valid");

-   if ((portlist[0] = calloc(1, 6)) == NULL)
-       errx (1, "not enough memory");
-   snprintf(portlist[0], 6, "%d", hi);

+ portlist[0] = calloc(1, PORT_MAX);
+ portlist[0] = p;
  }
 }
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Received on Fri Dec 20 05:09:50 2002