Skip to content

ncat segfault in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6 #2154

Closed
Closed
ncat segfault in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6#2154
Assignees
nnposter
Labels
Ncatbug
@bswinnerton

Description

@bswinnerton
bswinnerton
opened on Oct 15, 2020

Describe the bug
When invoking ncat over a Unix socket (for example with nc -U /var/run/libvirt/libvirt-sock), the application segfaults

To Reproduce

$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault (core dumped)

Expected behavior
In the example above, the expected behavior is:

$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused.

Version info (please complete the following information):

  • OS: 5.8.14-991.native
  • Output of ncat --version: Ncat: Version 7.91 ( https://nmap.org/ncat )

Additional context

To quote clearlinux/distribution#2152 (comment):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6
(gdb) bt
#0  0x00007ffff7d89db5 in __strlen_avx2 () from /usr/lib64/haswell/libc.so.6
#1  0x00007ffff7c981f4 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453
#3  new_iod (mypool=<optimized out>) at ncat_connect.c:907
#4  0x000055555555d535 in ncat_connect () at ncat_connect.c:1018
#5  ncat_connect_mode () at ncat_main.c:1020
#6  main (argc=<optimized out>, argv=<optimized out>) at ncat_main.c:997
(gdb) f 3
#2  0x000055555555fcd8 in nsock_iod_set_hostname (hostname=0x0, iod=0x5555555da270) at ../nsock/src/nsock_iod.c:453
   if (nsock_iod_set_hostname(nsi, o.sslservername) == -1)
(gdb) p o
$1 = {portno = 31337, verbose = 0, debug = 0, target = 0x7fffffffe6e6 "/tmp/foo", af = 1, proto = 6, broker = 0, listen = 0, keepopen = 0, 
  sendonly = 0, recvonly = 0, noshutdown = 0, telnet = 0, linedelay = 0, chat = 0, nodns = 0, normlog = 0x0, hexlog = 0x0, normlogfd = -1, 
  hexlogfd = -1, append = 0, idletimeout = 0, crlf = 0, allow = 0, deny = 0, allowset = 0x5555555d9870, denyset = 0x5555555d9910, 
  httpserver = 0, nsock_engine = 0, test = 0, srcrtes = {{s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {s_addr = 0}, {
      s_addr = 0}, {s_addr = 0}}, numsrcrtes = 0, srcrteptr = 4, conn_limit = -1, conntimeout = 10000, cmdexec = 0x0, execmode = EXEC_PLAIN, 
  proxy_auth = 0x0, proxytype = 0x0, proxyaddr = 0x0, proxydns = 2, ssl = 0, sslcert = 0x0, sslkey = 0x0, sslverify = 0, ssltrustfile = 0x0, 
  sslciphers = 0x0, sslservername = 0x0, sslalpn = 0x0, zerobyte = 0}

o.sslservername is set to NULL at

nmap/ncat/ncat_core.c

Line 152 in ef8213a

o.sslservername = NULL;
and set to something different at

nmap/ncat/ncat_main.c

Line 511 in ef8213a

o.sslservername = Strdup(optarg);

But this is not an SSL connection so it's not expected to be set to anything but null.

As mentioned by @thiagomacieira, the bug was introduced in 7d6cf3a which introduced o.sslservername, but that's only for TCP connections, not unix sockets.

/cc @nnposter as you may have context
/cc clearlinux/distribution#2152

Metadata

Metadata

Assignees

Labels

Ncatbug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions