diff --git a/ncat/ncat_connect.c b/ncat/ncat_connect.c
index d8c73ab1b..5695800a3 100644
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -1049,7 +1049,10 @@ int ncat_connect(void)
}
if (connect_socket == -1)
+ {
+ nsp_delete(mypool);
return 1;
+ }
/* Clear out whatever is left in the socket buffer which may be
already sent by proxy server along with http response headers. */
//line = socket_buffer_remainder(&stateful_buf, &n);
--- a/ncat/ncat.h
+++ b/ncat/ncat.h
@@ -177,13 +177,13 @@
struct socks5_connect {
char ver;
- char nmethods;
+ unsigned char nmethods;
char methods[3];
} __attribute__((packed));
struct socks5_auth {
- char ver; // must be always 1
- char data[SOCKS_BUFF_SIZE];
+ char ver; // must be always 1
+ unsigned char data[SOCKS_BUFF_SIZE];
} __attribute__((packed));
struct socks5_request {
@@ -263,6 +263,12 @@
#define SOCKS5_ATYP_NAME 3
#define SOCKS5_ATYP_IPv6 4
+#define SOCKS5_USR_MAXLEN 255
+#define SOCKS5_PWD_MAXLEN 255
+
+#if SOCKS_BUFF_SIZE < (1 + SOCKS5_USR_MAXLEN) + (1 + SOCKS5_PWD_MAXLEN)
+#error SOCKS_BUFF_SIZE is defined too small to handle SOCKS5 authentication
+#endif
/* Length of IPv6 address */
#ifndef INET6_ADDRSTRLEN
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -664,9 +664,8 @@
int sd,len,lenfqdn;
struct socks5_request socks5msg2;
struct socks5_auth socks5auth;
- char *proxy_auth;
- char *username;
- char *password;
+ char *uptr, *pptr;
+ size_t authlen, ulen, plen;
sd = do_connect(SOCK_STREAM);
if (sd == -1) {
@@ -683,17 +682,13 @@
zmem(&socks5msg,sizeof(socks5msg));
socks5msg.ver = SOCKS5_VERSION;
- socks5msg.nmethods = 1;
- socks5msg.methods[0] = SOCKS5_AUTH_NONE;
- len = 3;
+ socks5msg.nmethods = 0;
+ socks5msg.methods[socks5msg.nmethods++] = SOCKS5_AUTH_NONE;
- if (o.proxy_auth){
- socks5msg.nmethods ++;
- socks5msg.methods[1] = SOCKS5_AUTH_USERPASS;
- len ++;
- }
+ if (o.proxy_auth)
+ socks5msg.methods[socks5msg.nmethods++] = SOCKS5_AUTH_USERPASS;
- if (send(sd, (char *) &socks5msg, len, 0) < 0) {
+ if (send(sd, (char *)&socks5msg, offsetof(struct socks5_connect, methods) + socks5msg.nmethods, 0) < 0) {
loguser("Error: proxy request: %s.\n", socket_strerror(socket_errno()));
close(sd);
return -1;
@@ -706,46 +701,47 @@
return -1;
}
- if (socksbuf[0] != 5){
+ if (socksbuf[0] != SOCKS5_VERSION) {
loguser("Error: got wrong server version in response.\n");
close(sd);
return -1;
}
- switch(socksbuf[1]) {
+ switch((unsigned char)socksbuf[1]) {
case SOCKS5_AUTH_NONE:
if (o.verbose)
loguser("No authentication needed.\n");
break;
- case SOCKS5_AUTH_GSSAPI:
- loguser("GSSAPI authentication method not supported.\n");
- close(sd);
- return -1;
-
case SOCKS5_AUTH_USERPASS:
if (o.verbose)
loguser("Doing username and password authentication.\n");
if(!o.proxy_auth){
- loguser("Error: proxy requested to do authentication, but no credentials were provided.\n");
+ /* Proxy must not select a method not offered by the client */
+ loguser("Error: proxy selected invalid authentication method.\n");
close(sd);
return -1;
}
- if (strlen(o.proxy_auth) > SOCKS_BUFF_SIZE-2){
- loguser("Error: username and password are too long to fit into buffer.\n");
+ /* Split up the proxy auth argument. */
+ uptr = o.proxy_auth;
+ pptr = strchr(o.proxy_auth, ':');
+ if (pptr == NULL) {
+ loguser("Error: invalid username:password combo.\n");
close(sd);
return -1;
}
- /* Split up the proxy auth argument. */
- proxy_auth = Strdup(o.proxy_auth);
- username = strtok(proxy_auth, ":");
- password = strtok(NULL, ":");
- if (password == NULL || username == NULL) {
- free(proxy_auth);
- loguser("Error: empty username or password.\n");
+ ulen = (pptr++) - uptr;
+ plen = strlen(pptr);
+ if (ulen > SOCKS5_USR_MAXLEN) {
+ loguser("Error: username length exceeds %d.\n", SOCKS5_USR_MAXLEN);
+ close(sd);
+ return -1;
+ }
+ if (plen > SOCKS5_PWD_MAXLEN) {
+ loguser("Error: password length exceeds %d.\n", SOCKS5_PWD_MAXLEN);
close(sd);
return -1;
}
@@ -766,15 +762,16 @@
*/
socks5auth.ver = 1;
- socks5auth.data[0] = strlen(username);
- memcpy(socks5auth.data+1,username,strlen(username));
- len = 2 + strlen(username); // (version + strlen) + username
+ authlen = 0;
+ socks5auth.data[authlen++] = ulen;
+ memcpy(socks5auth.data + authlen, uptr, ulen);
+ authlen += ulen;
- socks5auth.data[len-1]=strlen(password);
- memcpy(socks5auth.data+len,password,strlen(password));
- len += 1 + strlen(password);
+ socks5auth.data[authlen++] = plen;
+ memcpy(socks5auth.data + authlen, pptr, plen);
+ authlen += plen;
- if (send(sd, (char *) &socks5auth, len, 0) < 0) {
+ if (send(sd, (char *) &socks5auth, offsetof(struct socks5_auth, data) + authlen, 0) < 0) {
loguser("Error: sending proxy authentication.\n");
close(sd);
return -1;
@@ -794,8 +791,14 @@
break;
+ case SOCKS5_AUTH_FAILED:
+ loguser("Error: no acceptable authentication method proposed.\n");
+ close(sd);
+ return -1;
+
default:
- loguser("Error - can't choose any authentication method.\n");
+ /* Proxy must not select a method not offered by the client */
+ loguser("Error: proxy selected invalid authentication method.\n");
close(sd);
return -1;
}
@@ -832,6 +835,10 @@
socks5msg2.dst[0]=lenfqdn;
memcpy(socks5msg2.dst+1,o.target,lenfqdn);
len = 1 + lenfqdn;
+ break;
+
+ default: // this shall not happen
+ ncat_assert(0);
}
memcpy(socks5msg2.dst+len, &proxyport, sizeof(proxyport));