From e4417d132e3bacace95546bce4ab46c198e08e31 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 11 Nov 2014 22:15:50 +0000
Subject: [PATCH] Fix a stack overrun in ncat's -g option

Because of the postincrement and <= operators, the parsing could write
as many as 10 struct in_addr into an array allocated for only 8.
Execution would stop because of a later check. Instead, we use
preincrement and < operator to do bounds checking, and check for the
"too many specified" condition with another call to strtok (which should
return NULL if there were no more hops to parse)
---
 ncat/ncat_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ncat/ncat_main.c b/ncat/ncat_main.c
index 955ae8847..05e8d52e2 100644
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -382,8 +382,8 @@ int main(int argc, char *argv[])
                     a, gai_strerror(rc));
                 }
                 o.srcrtes[o.numsrcrtes] = addr.in.sin_addr;
-            } while (o.numsrcrtes++ <= 8 && (a = strtok(NULL, ",")));
-            if (o.numsrcrtes > 8)
+            } while (++o.numsrcrtes < 8 && (a = strtok(NULL, ",")));
+            if (strtok(NULL, ","))
                 bye("Sorry, you gave too many source route hops.");
             break;
         }