From 77119bb4d863fb9a2c3ba7813bc6188934f07753 Mon Sep 17 00:00:00 2001 From: david Date: Tue, 23 Feb 2010 20:59:31 +0000 Subject: [PATCH] Use the cached value of recv_fd when removing descriptors from the read and broadcast lists when a connection is broken, instead of re-reading the descriptor from the fdinfo struct. The problem was that there were two calls to rm_fd, and the first one invalidated the data that the struct pointer pointed to. For some reason this didn't cause any problems in most situations. Mak Kolybabi reported that it caused a segfault in ncat -l --ssl -k -v 5061 > /dev/null < /dev/zero With SSL, new connections would try to read memory that was previously freed, as descriptors were not being removed from the broadcast list as they were removed from the read list. You can see the error in these debug logs: NCAT DEBUG: Closing connection. NCAT DEBUG: Swapping fd[2] (4) with fd[3] (5) NCAT DEBUG: Removed fd 4 from list, nfds 3, maxfd 5 NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5) NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 4 The "Remove fd X" should have the same X in both lines. --- CHANGELOG | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 9aa2d9722..2a4fc17bb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,12 @@ [NOT YET RELEASED] +o [Ncat] Fixed a segmentation fault caused by access to freed memory. + It could be triggered by making multiple connections to a server + that was constantly sending in SSL mode, as + ncat -l -k --ssl < /dev/zero + This bug was reported by Mak Kolybabi. [David] + o [NSE] Moved the smtp-open-relay.nse script out of the "demo" category after some improvements by Duarte Silva.