Use the cached value of recv_fd when removing descriptors from the read

and broadcast lists when a connection is broken, instead of re-reading the descriptor from the fdinfo struct. The problem was that there were two calls to rm_fd, and the first one invalidated the data that the struct pointer pointed to. For some reason this didn't cause any problems in most situations. Mak Kolybabi reported that it caused a segfault in ncat -l --ssl -k -v 5061 > /dev/null < /dev/zero With SSL, new connections would try to read memory that was previously freed, as descriptors were not being removed from the broadcast list as they were removed from the read list. You can see the error in these debug logs: NCAT DEBUG: Closing connection. NCAT DEBUG: Swapping fd[2] (4) with fd[3] (5) NCAT DEBUG: Removed fd 4 from list, nfds 3, maxfd 5 NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5) NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 4 The "Remove fd X" should have the same X in both lines.
2026-02-05 21:16:33 +00:00 · 2010-02-23 20:59:31 +00:00
parent c83f5474b7
commit 77119bb4d8
1 changed files with 6 additions and 0 deletions
--- a/6
+++ b/6
@@ -2,6 +2,12 @@

 [NOT YET RELEASED]

+o [Ncat] Fixed a segmentation fault caused by access to freed memory.
+  It could be triggered by making multiple connections to a server
+  that was constantly sending in SSL mode, as
+    ncat -l -k --ssl < /dev/zero
+  This bug was reported by Mak Kolybabi. [David]
+
 o [NSE] Moved the smtp-open-relay.nse script out of the "demo"
  category after some improvements by Duarte Silva.