Describe the bug
When invoking ncat over a Unix socket (for example with nc -U /var/run/libvirt/libvirt-sock), the application segfaults
To Reproduce
$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault (core dumped)
Expected behavior
In the example above, the expected behavior is:
$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused.
Version info (please complete the following information):
5.8.14-991.nativencat --version: Ncat: Version 7.91 ( https://nmap.org/ncat )Additional context
To quote https://github.com/clearlinux/distribution/issues/2152#issuecomment-708808062:
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6 (gdb) bt #0 0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6 #1 0x00007ffff7c981f4 in __GI___strdup (s=0x0) at strdup.c:41 #2 0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453 #3 new_iod (mypool=<optimized out>) at ncat_connect.c:907 #4 0x000055555555d535 in ncat_connect () at ncat_connect.c:1018 #5 ncat_connect_mode () at ncat_main.c:1020 #6 main (argc=<optimized out>, argv=<optimized out>) at ncat_main.c:997 (gdb) f 3 #2 0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453 if (nsock_iod_set_hostname(nsi, o.sslservername) == -1) (gdb) p o $1 = {portno = 31337, verbose = 0, debug = 0, target = 0x7fffffffe6e6 "/tmp/foo", af = 1, proto = 6, broker = 0, listen = 0, keepopen = 0, sendonly = 0, recvonly = 0, noshutdown = 0, telnet = 0, linedelay = 0, chat = 0, nodns = 0, normlog = 0x0, hexlog = 0x0, normlogfd = -1, hexlogfd = -1, append = 0, idletimeout = 0, crlf = 0, allow = 0, deny = 0, allowset = 0x5555555d9870, denyset = 0x5555555d9910, httpserver = 0, nsock_engine = 0, test = 0, srcrtes = {{s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, { s_addr = 0}, {s_addr = 0}}, numsrcrtes = 0, srcrteptr = 4, conn_limit = -1, conntimeout = 10000, cmdexec = 0x0, execmode = EXEC_PLAIN, proxy_auth = 0x0, proxytype = 0x0, proxyaddr = 0x0, proxydns = 2, ssl = 0, sslcert = 0x0, sslkey = 0x0, sslverify = 0, ssltrustfile = 0x0, sslciphers = 0x0, sslservername = 0x0, sslalpn = 0x0, zerobyte = 0}o.sslservername is set to NULL at https://github.com/nmap/nmap/blob/ef8213a36c2e89233c806753a57b5cd473605408/ncat/ncat_core.c#L152 and set to something different at https://github.com/nmap/nmap/blob/ef8213a36c2e89233c806753a57b5cd473605408/ncat/ncat_main.c#L511
But this is not an SSL connection so it's not expected to be set to anything but null.
As mentioned by @thiagomacieira, the bug was introduced in nmap/nmap@7d6cf3a which introduced o.sslservername, but that's only for TCP connections, not unix sockets.
/cc @nnposter as you may have context
/cc https://github.com/clearlinux/distribution/issues/2152
Could you please test the following patch and report back?
--- a/ncat/ncat_main.c 2020-10-07 17:21:42.253789857 -0600
+++ b/ncat/ncat_main.c 2020-10-14 21:37:31.527610020 -0600
@@ -846,7 +846,7 @@
targetaddrs->addr.un.sun_family = AF_UNIX;
strncpy(targetaddrs->addr.un.sun_path, argv[optind], sizeof(targetaddrs->addr.un.sun_path));
targetaddrs->addrlen = SUN_LEN(&targetaddrs->addr.un);
- o.target = argv[optind];
+ o.sslservername = o.target = argv[optind];
optind++;
} else
#endif
@@ -865,7 +865,7 @@
targetaddrs->addr.vm.svm_cid = long_cid;
targetaddrs->addrlen = sizeof(targetaddrs->addr.vm);
- o.target = argv[optind];
+ o.sslservername = o.target = argv[optind];
optind++;
}
} else
Confirmed
$ /tmp/usr/bin/ncat -U /tmp/foo
Ncat: No such file or directory.
$ touch /tmp/foo
$ /tmp/usr/bin/ncat -U /tmp/foo
Ncat: Connection refused.
The patch has been committed as r38121. Thank you for reporting the issue and pin-pointing the offending commit; my bad.
I'll apply the committed patch to Clear tomorrow.
Most helpful comment
Could you please test the following patch and report back?