From 972ed6bac0951dbf6fac7e13550f6a429b316e4e Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 10 Oct 2021 01:12:57 +0000
Subject: [PATCH] Add SOCKS5 support for SOCKS5_ATYP_NAME bind address. Closes
 #2365

---
 CHANGELOG           |  3 +++
 ncat/ncat_connect.c | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index d77246ab1..5e252ebc2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,9 @@
 o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
   strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
 
+o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
+  as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
+
 Nmap 7.92 [2021-08-07]
 
 o [Windows] Upgraded Npcap (our Windows raw packet capturing and
diff --git a/ncat/ncat_connect.c b/ncat/ncat_connect.c
index c0d4b4089..e099731dd 100644
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -660,7 +660,7 @@ static int do_proxy_socks5(void)
     size_t addrlen;
     char addrstr[INET6_ADDRSTRLEN];
     size_t bndaddrlen;
-    char bndaddr[16 + 2]; /* IPv4/IPv6 address and port */
+    char bndaddr[SOCKS5_DST_MAXLEN + 2]; /* IPv4/IPv6/hostname and port */
     size_t remainderlen;
     char* remainder;
 
@@ -919,6 +919,14 @@ static int do_proxy_socks5(void)
     case SOCKS5_ATYP_IPv6:
         bndaddrlen = 16 + 2;
         break;
+    case SOCKS5_ATYP_NAME:
+        if (socket_buffer_readcount(&stateful_buf, socksbuf, 1) < 0) {
+            loguser("Error: malformed request response from proxy.\n");
+            close(sd);
+            return -1;
+        }
+        bndaddrlen = (unsigned char)socksbuf[0] + 2;
+        break;
     default:
         loguser("Error: invalid proxy bind address type.\n");
         close(sd);