Bug 143898

Summary:	net-analyzer/cryptcat-20031202 is stable on amd64
Product:	Gentoo Linux	Reporter:	postmodern <brodigan>
Component:	[OLD] Unspecified	Assignee:	AMD64 Project <amd64>
Status:	RESOLVED LATER
Severity:	enhancement
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description postmodern 2006-08-14 10:02:28 UTC

net-analyzer/cryptcat-20031202 can safely get the amd64 keyword.

emerge info:
Gentoo Base System version 1.12.4
Portage 2.1-r2 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r4 x86_64)
=================================================================
System uname: 2.6.17-gentoo-r4 x86_64 unknown
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X alsa avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts usb xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 1 Jon Hood (RETIRED) gentoo-dev

2006-08-15 17:47:22 UTC

The pointer warnings scare me, and I don't have time to test out the function that's causing them. I'd rather wait for a newer version to be in portage for a while that has been tested more. Since this package is based off of netcat, the newer versions feel a bit more stable.

Comment 2 postmodern 2006-08-15 21:26:37 UTC

Those pointer warnings are worrisome but I see the logic behind them. They ARE bad programming practices though.

cryptcat-20031202/netcat.c:

    192 /* holler :
    193    fake varargs -- need to do this way because we wind up calling through
    194    more levels of indirection than vanilla varargs can handle, and not all
    195    machines have vfprintf/vsyslog/whatever!  6 params oughta be enough. */
    196 void holler (str, p1, p2, p3, p4, p5, p6)
    197   char * str;
    198   char * p1, * p2, * p3, * p4, * p5, * p6;
    199 {
    200   if (o_verbose) {
    201     fprintf (stderr, str, p1, p2, p3, p4, p5, p6);
    202 #ifdef HAVE_BIND
    203     if (h_errno) {              /* if host-lookup variety of error ... */
    204       if (h_errno > 4)          /* oh no you don't, either */
    205         fprintf (stderr, "preposterous h_errno: %d", h_errno);
    206       else
    207         fprintf (stderr, h_errs[h_errno]);      /* handle it here */
    208       h_errno = 0;                              /* and reset for next call */
    209     }
    210 #endif
    211     if (errno) {                /* this gives funny-looking messages, but */
    212       perror (" ");             /* it's more portable than sys_errlist[]... */
    213     } else                      /* xxx: do something better?  */
       fprintf (stderr, "\n");
    215     fflush (stderr);
    216   }
    217 } /* holler */
    218 
    219 /* bail :
    220    error-exit handler, callable from anywhere */
    221 void bail (str, p1, p2, p3, p4, p5, p6)
    222   char * str;
    223   char * p1, * p2, * p3, * p4, * p5, * p6;
    224 {
    225   o_verbose = 1;
    226   holler (str, p1, p2, p3, p4, p5, p6);
    227   close (netfd);
    228   sleep (1);
    229   exit (1);
    230 } /* bail */
...
    269 /* Hmalloc :
    270    malloc up what I want, rounded up to *4, and pre-zeroed.  Either succeeds
    271    or bails out on its own, so that callers don't have to worry about it. */
    272 char * Hmalloc (size)
    273   unsigned int size;
    274 {
    275   unsigned int s = (size + 4) & 0xfffffffc;     /* 4GB?! */
    276   char * p = malloc (s);
    277   if (p != NULL)
    278     memset (p, 0, s);
    279   else
    280     bail ("Hmalloc %d failed", s);
    281   return (p);
    282 } /* Hmalloc */
That looks like the beginnings of a format-string vuln. Luckily most of the time bail/holler are passed constant format strings, but let's grep to make sure.

$ egrep -Hn "(bail|holler)[[:space:]]*\([^\"\)]" *.c
netcat.c:196:void holler (str, p1, p2, p3, p4, p5, p6)
netcat.c:221:void bail (str, p1, p2, p3, p4, p5, p6)
netcat.c:226:  holler (str, p1, p2, p3, p4, p5, p6);
netcat.c:238:    bail (wrote_txt, wrote_net, wrote_out);
netcat.c:827:    holler (bigbuf_net, z);
netcat.c:1568:  holler (wrote_txt, wrote_net, wrote_out);
netcat.c:1655:    holler (wrote_txt, wrote_net, wrote_out);

$ grep -Hn wrote_txt *.c
netcat.c:149:static char wrote_txt[] = " sent %d, rcvd %d";
netcat.c:238:    bail (wrote_txt, wrote_net, wrote_out);
netcat.c:1568:  holler (wrote_txt, wrote_net, wrote_out);
netcat.c:1655:    holler (wrote_txt, wrote_net, wrote_out);

These cases are easily fixed as wrote_txt is meant to be a constant string but not declared const (that should be patched imho).

$ grep -Hn bigbuf_net *.c
netcat.c:160:char * bigbuf_net;
netcat.c:806:/* Various things that follow temporarily trash bigbuf_net, which might contain
netcat.c:820:    strcpy (bigbuf_net, "listening on ["); /* buffer reuse... */
netcat.c:822:      strcat (bigbuf_net, inet_ntoa (lclend->sin_addr));
netcat.c:824:      strcat (bigbuf_net, "any");
netcat.c:825:    strcat (bigbuf_net, "] %d ...");
netcat.c:827:    holler (bigbuf_net, z);
netcat.c:840:   (nnetfd, bigbuf_net, BIGSIZ, MSG_PEEK, (SA *) remend, &x);
netcat.c:841:Debug (("dolisten/recvfrom ding, rr = %d, netbuf %s ", rr, bigbuf_net))
netcat.c:891:    char * p = bigbuf_net;         /* local variables, yuk! */
netcat.c:892:    char * pp = &bigbuf_net[128];  /* get random space farther out... */
netcat.c:893:    memset (bigbuf_net, 0, 256);   /* clear it all first */
netcat.c:900:    holler ("IP options: %s", bigbuf_net);
netcat.c:909:  memset (bigbuf_net, 0, 64);
netcat.c:910:  cp = &bigbuf_net[32];
netcat.c:927:  strcpy (bigbuf_net, inet_ntoa (remend->sin_addr));
netcat.c:928:  whozis = gethostpoop (bigbuf_net, o_nflag);
netcat.c:1205:  /*rr = read (fd, bigbuf_net, BIGSIZ);*/
netcat.c:1206:  rr = farm9crypt_read (fd, bigbuf_net, BIGSIZ);
netcat.c:1212:    np = bigbuf_net;
netcat.c:1350:  bigbuf_net = Hmalloc (BIGSIZ);

bigbuf_net is a little more involved, but if you check the code the only time variable data is copied into it is on line 1206, after that i don't see it being passed back to bail/holler without being reset. In conclusion I'd say those warnings are the legacy of netcat's horribly messy code-base. People should move onto other network clients, such as ncat or *shameless self promotion* my own upcoming incat, but if they must netcat is still usable.