netcat (nc) dumps core

[Csaba Simon <secsaba_(_at_)_yahoo_(_dot_)_com>]

>Submitter-Id: secsaba
>Originator: Simon Csaba Endre
>Organization: net
>Confidential: no
>Synopsis: netcat (nc) dumps core
>Severity: non-critical
>Priority: low
>Category: user
>Class: sw-bug
>Release: 3.2, -current
>Environment:
System      : OpenBSD 3.2
Architecture: OpenBSD.i386
Machine     : i386
>Description:
     When specifying a port range 1-65535 as a command line argument the
     netcat (nc) program dumps core on system where the maximum memory is
     64Mb.
      
     The errors are:
     1) doesn't check the return value of calloc()
     2) allocate PORT_MAX (65535) bytes of memory chunks insteed of only 6
     bytes (the length of the string "65535" + 1 byte for the
     trailling'\0'.
     For a port range of 1-65535 the memory allocated will be 65535*65535
     bytes!!!
>How-To-Repeat:
     nc -z localhost 1-65535
>Fix:
  Apply the above patch:

--- netcat.c Fri Dec 20 10:22:46 2002
+++ netcat.c.old Fri Dec 20 09:51:16 2002
@@ -655,9 +655,8 @@
  
 /* Load ports sequentially */
    for (cp = lo; cp <= hi; cp++) {
-      if ((portlist[x] = calloc(1, 6)) == NULL)
-          errx (1, "not enough memory");
-      snprintf(portlist[x], 6, "%d", cp);
+      portlist[x] = calloc(1, PORT_MAX);
+      snprintf(portlist[x], PORT_MAX, "%d", cp);
       x++;
    }
 
@@ -677,9 +676,8 @@
    hi = (int)strtoul(p, &endp, 10);
    if (hi <= 0 || hi > PORT_MAX || *endp != '\0')
        errx(1, "port range not valid");
-   if ((portlist[0] = calloc(1, 6)) == NULL)
-       errx (1, "not enough memory");
-   snprintf(portlist[0], 6, "%d", hi);
+   portlist[0] = calloc(1, PORT_MAX);
+   portlist[0] = p;
  }
 }
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com