From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 20 03:10:00 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8630D15E for ; Wed, 20 Feb 2013 03:10:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 6E246C00 for ; Wed, 20 Feb 2013 03:10:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1K3A0jF057015 for ; Wed, 20 Feb 2013 03:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1K3A0Cl057014; Wed, 20 Feb 2013 03:10:00 GMT (envelope-from gnats) Resent-Date: Wed, 20 Feb 2013 03:10:00 GMT Resent-Message-Id: <201302200310.r1K3A0Cl057014@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Paul Koch Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A7D3EFF for ; Wed, 20 Feb 2013 03:09:31 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 82965BF9 for ; Wed, 20 Feb 2013 03:09:31 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r1K39Vb3054616 for ; Wed, 20 Feb 2013 03:09:31 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r1K39VZ6054615; Wed, 20 Feb 2013 03:09:31 GMT (envelope-from nobody) Message-Id: <201302200309.r1K39VZ6054615@red.freebsd.org> Date: Wed, 20 Feb 2013 03:09:31 GMT From: Paul Koch To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: bin/176278: /usr/bin/nc (netcat) incorrectly passes telnet option data through X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 03:10:00 -0000 >Number: 176278 >Category: bin >Synopsis: /usr/bin/nc (netcat) incorrectly passes telnet option data through >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 20 03:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Paul Koch >Release: 9.1 >Organization: >Environment: FreeBSD xxxxx 9.1-STABLE FreeBSD 9.1-STABLE #0 r246099: Thu Jan 31 08:47:47 EST 2013 >Description: Run /usr/bin/nc -t {ip} 23 Garbage characters appear in output. Run /usr/bin/nc -t {ip 23 | hexdump -C This will show something like the following at the start: ff fd 25 ff fb 26 ff fd ... The ff fd xx are telnet options which should be stripped from the output. Telnet options can occur pretty much at any time during the session, so garbage chars will probably also appear in other places of the output. >How-To-Repeat: Run nc command as above. >Fix: The telnet command opt processing in netcat.c is fairly crude. Strip the telnet options from the output buffer. Patch attached with submission follows: --- netcat.c 2013-02-20 12:46:17.000000000 +1000 +++ netcat.c.orig 2013-02-20 13:03:50.000000000 +1000 @@ -25,7 +25,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD: stable/9/contrib/netcat/netcat.c 243818 2012-12-03 18:26:23Z delphij $ + * $FreeBSD$ */ /* @@ -100,7 +100,7 @@ char *portlist[PORT_MAX+1]; char *unix_dg_tmp_socket; -int atelnet(int, unsigned char *, unsigned int); +void atelnet(int, unsigned char *, unsigned int); void build_ports(char *); void help(void); int local_listen(char *, char *, struct addrinfo); @@ -823,7 +823,7 @@ pfd[0].events = 0; } else { if (tflag) - n = atelnet(nfd, buf, n); + atelnet(nfd, buf, n); if (atomicio(vwrite, lfd, buf, n) != n) return; } @@ -845,23 +845,20 @@ } /* Deal with RFC 854 WILL/WONT DO/DONT negotiation. */ -int +void atelnet(int nfd, unsigned char *buf, unsigned int size) { - unsigned char *p, *q, *end; + unsigned char *p, *end; unsigned char obuf[4]; - int compact = 0; if (size < 3) - return size; + return; end = buf + size - 2; for (p = buf; p < end; p++) { if (*p != IAC) continue; - compact = 1; - obuf[0] = IAC; p++; if ((*p == WILL) || (*p == WONT)) @@ -876,20 +873,6 @@ if (atomicio(vwrite, nfd, obuf, 3) != 3) warn("Write Error!"); } - - if (compact) { - p = q = buf; - end = buf + size; - while (p < end) { - if (*p == IAC) - p += 3; /* skip over telnet opt */ - else - *q++ = *p++; - } - size = q - buf; - } - - return size; } /* >Release-Note: >Audit-Trail: >Unformatted: