Fix a write overrun in the -g option to Ncat

Due to the use of do{}while; the bounds were checked *after* writing to the array of source routes. Reproduce: ncat $(perl -E 'say "-g 1.1.1.1 "x100') scanme.nmap.org 80
2025-12-30 19:39:07 +00:00 · 2015-06-23 03:59:41 +00:00
parent eda09854ac
commit df5d9a7489
1 changed files with 8 additions and 5 deletions
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -372,20 +372,23 @@ int main(int argc, char *argv[])
            o.execmode = EXEC_PLAIN;
            break;
        case 'g': {
-            char *a = strtok(optarg, ",");
-            do {
+            char *from = optarg;
+            char *a = NULL;
+            while (o.numsrcrtes < 8 && (a = strtok(from, ",")))
+            {
                union sockaddr_u addr;
                size_t sslen;
                int rc;
+                from = NULL;

                rc = resolve(a, 0, &addr.storage, &sslen, AF_INET);
                if (rc != 0) {
                    bye("Sorry, could not resolve source route hop \"%s\": %s.",
                    a, gai_strerror(rc));
                }
-                o.srcrtes[o.numsrcrtes] = addr.in.sin_addr;
-            } while (++o.numsrcrtes < 8 && (a = strtok(NULL, ",")));
-            if (strtok(NULL, ","))
+                o.srcrtes[o.numsrcrtes++] = addr.in.sin_addr;
+            }
+            if (strtok(from, ","))
                bye("Sorry, you gave too many source route hops.");
            break;
        }