From 4519c2ec74de5c994454cd1243d6c9e02c1398f1 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 22 Dec 2012 06:02:30 +0000
Subject: [PATCH] Assert that get_fdinfo doesn't return NULL.

Resolves these Parfait reports
(http://seclists.org/nmap-dev/2012/q4/412).

Error: Null pointer dereference (CWE 476)
    Read from null pointer 'fdn'
         at line 328 of components/nmap/build/amd64/ncat/ncat_core.c in function 'blocking_fdinfo_send'.
           Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 366 in function 'ncat_broadcast'.
           Constant 'NULL' passed into function 'blocking_fdinfo_send', argument 'fdn', from call at line 367.
           Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'.
         at line 330 of components/nmap/build/amd64/ncat/ncat_core.c in function 'blocking_fdinfo_send'.
           Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 366 in function 'ncat_broadcast'.
           Constant 'NULL' passed into function 'blocking_fdinfo_send', argument 'fdn', from call at line 367.
           Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'.
Error: Null pointer dereference (CWE 476)
    Read from null pointer 'fdn'
         at line 946 of components/nmap/build/amd64/ncat/ncat_listen.c in function 'shutdown_sockets'.
           Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 945.
           Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'.
---
 ncat/ncat_core.c   | 1 +
 ncat/ncat_listen.c | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ncat/ncat_core.c b/ncat/ncat_core.c
index 3253e0220..213dd6954 100644
--- a/ncat/ncat_core.c
+++ b/ncat/ncat_core.c
@@ -363,6 +363,7 @@ int ncat_broadcast(fd_set *fds, const fd_list_t *fdlist, const char *msg, size_t
             continue;
 
         fdn = get_fdinfo(fdlist, i);
+        ncat_assert(fdn != NULL);
         if (blocking_fdinfo_send(fdn, msg, size) <= 0) {
             if (o.debug > 1)
                 logdebug("Error sending to fd %d: %s.\n", i, socket_strerror(socket_errno()));
diff --git a/ncat/ncat_listen.c b/ncat/ncat_listen.c
index d2ba2326f..2c0b948e3 100644
--- a/ncat/ncat_listen.c
+++ b/ncat/ncat_listen.c
@@ -292,6 +292,7 @@ static int ncat_listen_stream(int proto)
                 FD_CLR(i, &master_readfds);
                 FD_CLR(i, &master_writefds);
                 fdi = get_fdinfo(&client_fdlist, i);
+                ncat_assert(fdi != NULL);
                 switch (ssl_handshake(fdi)) {
                 case NCAT_SSL_HANDSHAKE_COMPLETED:
                     /* Clear from sslpending_fds once ssl is established */
@@ -534,7 +535,7 @@ int read_socket(int recv_fd)
     int nbytes, pending;
 
     fdn = get_fdinfo(&client_fdlist, recv_fd);
-    assert(fdn != NULL);
+    ncat_assert(fdn != NULL);
 
     nbytes = 0;
     do {
@@ -837,7 +838,7 @@ static void read_and_broadcast(int recv_fd)
     int pending;
 
     fdn = get_fdinfo(&client_fdlist, recv_fd);
-    assert(fdn);
+    ncat_assert(fdn != NULL);
 
     /* Loop while ncat_recv indicates data is pending. */
     do {
@@ -942,6 +943,7 @@ static void shutdown_sockets(int how)
             continue;
 
         fdn = get_fdinfo(&broadcast_fdlist, i);
+        ncat_assert(fdn != NULL);
         shutdown(fdn->fd, how);
     }
 }