Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 370827 - net-analyzer/netcat crashes on connection to on ports over 999,999
Summary: net-analyzer/netcat crashes on connection to on ports over 999,999
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: SpanKY
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-09 15:38 UTC by Eric Gisse
Modified: 2011-06-12 01:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2011-06-09 15:38:37 UTC 
Netcat crashes w/ a buffer overflow if you try to connect to ports over 999,999.

Reproducible: Always

Steps to Reproduce:
# nc localhost 10000000


Actual Results:  
*** buffer overflow detected ***: nc - terminated
nc: buffer overflow attack in function <unknown> - terminated
Report to http://bugs.gentoo.org/
Killed

Expected Results:  
Unsure. 

Severity is set to the correct level: trivial. Reporting because it might have implications elsewhere within the application, and it amuses me.

======================

execve("/usr/bin/nc", ["nc", "localhost", "12312312000"], [/* 25 vars */]) = 0
brk(0)                                  = 0x610608
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de019000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=72599, ...}) = 0
mmap(NULL, 72599, PROT_READ, MAP_PRIVATE, 3, 0) = 0x313de007000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\357\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1707504, ...}) = 0
mmap(NULL, 3819608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x313dda56000
mprotect(0x313ddbf1000, 2093056, PROT_NONE) = 0
mmap(0x313dddf0000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x313dddf0000
mmap(0x313dddf5000, 22616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x313dddf5000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de006000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de004000
arch_prctl(ARCH_SET_FS, 0x313de004720)  = 0
mprotect(0x313dddf0000, 16384, PROT_READ) = 0
mprotect(0x606000, 4096, PROT_READ)     = 0
mprotect(0x313de01b000, 4096, PROT_READ) = 0
munmap(0x313de007000, 72599)            = 0
brk(0)                                  = 0x610608
brk(0x631608)                           = 0x631608
brk(0x632000)                           = 0x632000
rt_sigaction(SIGINT, {0x401ba0, [INT], SA_RESTORER|SA_RESTART, 0x313dda89ca0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {0x401ba0, [QUIT], SA_RESTORER|SA_RESTART, 0x313dda89ca0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {0x401ba0, [TERM], SA_RESTORER|SA_RESTART, 0x313dda89ca0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGURG, {SIG_IGN, [URG], SA_RESTORER|SA_RESTART, 0x313dda89ca0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x313dda89ca0}, {SIG_DFL, [], 0}, 8) = 0
getpid()                                = 15869
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=176, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# Generated by dhcpcd from eth1\n"..., 4096) = 176
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
uname({sys="Linux", node="headless.jowr.info", ...}) = 0
time([1307633728])                      = 1307633728
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=176, ...}) = 0
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=176, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# Generated by dhcpcd from eth1\n"..., 4096) = 176
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=508, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# /etc/nsswitch.conf:\n# $Header:"..., 4096) = 508
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=72599, ...}) = 0
mmap(NULL, 72599, PROT_READ, MAP_PRIVATE, 3, 0) = 0x313de007000
close(3)                                = 0
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=51544, ...}) = 0
mmap(NULL, 2148088, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x313dd849000
mprotect(0x313dd855000, 2093056, PROT_NONE) = 0
mmap(0x313dda54000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x313dda54000
close(3)                                = 0
mprotect(0x313dda54000, 4096, PROT_READ) = 0
munmap(0x313de007000, 72599)            = 0
open("/etc/host.conf", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=936, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# /etc/host.conf:\n# $Header: /va"..., 4096) = 936
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 3
fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
fstat(3, {st_mode=S_IFREG|0644, st_size=1090, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# /etc/hosts: Local Host Databas"..., 4096) = 1090
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=72599, ...}) = 0
mmap(NULL, 72599, PROT_READ, MAP_PRIVATE, 3, 0) = 0x313de007000
close(3)                                = 0
open("/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/lib64/tls/x86_64", 0x3c22c6507b0) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/lib64/tls", 0x3c22c6507b0)       = -1 ENOENT (No such file or directory)
open("/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/lib64/x86_64", 0x3c22c6507b0)    = -1 ENOENT (No such file or directory)
open("/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/lib64", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0
open("/usr/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/tls/x86_64", 0x3c22c6507b0) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/tls", 0x3c22c6507b0)   = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/x86_64", 0x3c22c6507b0) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64", {st_mode=S_IFDIR|0755, st_size=49152, ...}) = 0
munmap(0x313de007000, 72599)            = 0
open("/etc/services", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=36141, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x313de018000
read(3, "# /etc/services\n#\n# Network serv"..., 4096) = 4096
read(3, " private\t77/tcp\t\t\t\t# any private"..., 4096) = 4096
read(3, "e\nemfis-cntl\t141/udp\nimap\t\t143/t"..., 4096) = 4096
read(3, "dialog\t360/tcp\t\t\t\t# scoi2odialog"..., 4096) = 4096
read(3, "\t\tdqs313_intercell\ncryptoadmin\t6"..., 4096) = 4096
read(3, "# Citrix ICA Client\nica\t\t1494/ud"..., 4096) = 4096
read(3, "05/udp\nlstp\t\t2559/tcp\t\t\t# \nlstp\t"..., 4096) = 4096
read(3, "t-pmp\t\t5351/udp\ndns-llq\t\t5352/tc"..., 4096) = 4096
read(3, "p\t\t\t# OpenPGP HTTP Keyserver\nhkp"..., 4096) = 3373
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x313de018000, 4096)             = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
write(2, "*** buffer overflow detected ***"..., 50*** buffer overflow detected ***: nc - terminated
) = 50
write(3, "*** buffer overflow detected ***"..., 50) = 50
write(2, "nc: buffer overflow attack in fu"..., 62nc: buffer overflow attack in function <unknown> - terminated
) = 62
write(3, "nc: buffer overflow attack in fu"..., 62) = 62
write(2, "Report to http://bugs.gentoo.org"..., 35Report to http://bugs.gentoo.org/
) = 35
write(3, "Report to http://bugs.gentoo.org"..., 35) = 35
close(3)                                = 0
getpid()                                = 15869
kill(15869, SIGKILL <unfinished ...>
+++ killed by SIGKILL +++
Killed
Comment 1 SpanKY gentoo-dev 2011-06-10 03:11:10 UTC 
ignoring the fact that ports over 65535 arent even valid ...
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-10 03:21:26 UTC 
That's why this is Cute Bug of the Year.
Comment 3 SpanKY gentoo-dev 2011-06-12 01:40:06 UTC 
ive committed a fix upstream for the issue

--- netcat.c    (revision 20)
+++ netcat.c    (revision 21)
@@ -100,7 +100,6 @@
 
 struct port_poop {
   char name [64];              /* name in /etc/services */
-  char anum [8];               /* ascii-format number */
   USHORT num;                  /* real host-order number */
 };
 #define PINF struct port_poop
@@ -493,7 +492,6 @@
 gp_finish:
 /* Fall here whether or not we have a valid servent at this point, with
    x containing our [host-order and therefore useful, dammit] port number */
-  sprintf (portpoop->anum, "%d", x);   /* always load any numeric specs! */
   portpoop->num = (x & 0xffff);                /* ushort, remember... */
   return (portpoop->num);
 } /* getportpoop */