Blob Blame Raw
diff --git a/ncat/ncat_connect.c b/ncat/ncat_connect.c
index d8c73ab1b..5695800a3 100644
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -1049,7 +1049,10 @@ int ncat_connect(void)
         }
 
         if (connect_socket == -1)
+        {
+            nsp_delete(mypool);
             return 1;
+        }
         /* Clear out whatever is left in the socket buffer which may be
            already sent by proxy server along with http response headers. */
         //line = socket_buffer_remainder(&stateful_buf, &n);
--- a/ncat/ncat.h
+++ b/ncat/ncat.h
@@ -177,13 +177,13 @@
 
 struct socks5_connect {
     char ver;
-    char nmethods;
+    unsigned char nmethods;
     char methods[3];
 } __attribute__((packed));
 
 struct socks5_auth {
-  char ver; // must be always 1
-  char data[SOCKS_BUFF_SIZE];
+    char ver; // must be always 1
+    unsigned char data[SOCKS_BUFF_SIZE];
 } __attribute__((packed));
 
 struct socks5_request {
@@ -263,6 +263,12 @@
 #define SOCKS5_ATYP_NAME        3
 #define SOCKS5_ATYP_IPv6        4
 
+#define SOCKS5_USR_MAXLEN       255
+#define SOCKS5_PWD_MAXLEN       255
+
+#if SOCKS_BUFF_SIZE < (1 + SOCKS5_USR_MAXLEN) + (1 + SOCKS5_PWD_MAXLEN)
+#error SOCKS_BUFF_SIZE is defined too small to handle SOCKS5 authentication
+#endif
 
 /* Length of IPv6 address */
 #ifndef INET6_ADDRSTRLEN
--- a/ncat/ncat_connect.c
+++ b/ncat/ncat_connect.c
@@ -664,9 +664,8 @@
     int sd,len,lenfqdn;
     struct socks5_request socks5msg2;
     struct socks5_auth socks5auth;
-    char *proxy_auth;
-    char *username;
-    char *password;
+    char *uptr, *pptr;
+    size_t authlen, ulen, plen;
 
     sd = do_connect(SOCK_STREAM);
     if (sd == -1) {
@@ -683,17 +682,13 @@
 
     zmem(&socks5msg,sizeof(socks5msg));
     socks5msg.ver = SOCKS5_VERSION;
-    socks5msg.nmethods = 1;
-    socks5msg.methods[0] = SOCKS5_AUTH_NONE;
-    len = 3;
+    socks5msg.nmethods = 0;
+    socks5msg.methods[socks5msg.nmethods++] = SOCKS5_AUTH_NONE;
 
-    if (o.proxy_auth){
-        socks5msg.nmethods ++;
-        socks5msg.methods[1] = SOCKS5_AUTH_USERPASS;
-        len ++;
-    }
+    if (o.proxy_auth)
+        socks5msg.methods[socks5msg.nmethods++] = SOCKS5_AUTH_USERPASS;
 
-    if (send(sd, (char *) &socks5msg, len, 0) < 0) {
+    if (send(sd, (char *)&socks5msg, offsetof(struct socks5_connect, methods) + socks5msg.nmethods, 0) < 0) {
         loguser("Error: proxy request: %s.\n", socket_strerror(socket_errno()));
         close(sd);
         return -1;
@@ -706,46 +701,47 @@
         return -1;
     }
 
-    if (socksbuf[0] != 5){
+    if (socksbuf[0] != SOCKS5_VERSION) {
         loguser("Error: got wrong server version in response.\n");
         close(sd);
         return -1;
     }
 
-    switch(socksbuf[1]) {
+    switch((unsigned char)socksbuf[1]) {
         case SOCKS5_AUTH_NONE:
             if (o.verbose)
                 loguser("No authentication needed.\n");
             break;
 
-        case SOCKS5_AUTH_GSSAPI:
-            loguser("GSSAPI authentication method not supported.\n");
-            close(sd);
-            return -1;
-
         case SOCKS5_AUTH_USERPASS:
             if (o.verbose)
                 loguser("Doing username and password authentication.\n");
 
             if(!o.proxy_auth){
-                loguser("Error: proxy requested to do authentication, but no credentials were provided.\n");
+                /* Proxy must not select a method not offered by the client */
+                loguser("Error: proxy selected invalid authentication method.\n");
                 close(sd);
                 return -1;
             }
 
-            if (strlen(o.proxy_auth) > SOCKS_BUFF_SIZE-2){
-                loguser("Error: username and password are too long to fit into buffer.\n");
+            /* Split up the proxy auth argument. */
+            uptr = o.proxy_auth;
+            pptr = strchr(o.proxy_auth, ':');
+            if (pptr == NULL) {
+                loguser("Error: invalid username:password combo.\n");
                 close(sd);
                 return -1;
             }
 
-            /* Split up the proxy auth argument. */
-            proxy_auth = Strdup(o.proxy_auth);
-            username = strtok(proxy_auth, ":");
-            password = strtok(NULL, ":");
-            if (password == NULL || username == NULL) {
-                free(proxy_auth);
-                loguser("Error: empty username or password.\n");
+            ulen = (pptr++) - uptr;
+            plen = strlen(pptr);
+            if (ulen > SOCKS5_USR_MAXLEN) {
+                loguser("Error: username length exceeds %d.\n", SOCKS5_USR_MAXLEN);
+                close(sd);
+                return -1;
+            }
+            if (plen > SOCKS5_PWD_MAXLEN) {
+                loguser("Error: password length exceeds %d.\n", SOCKS5_PWD_MAXLEN);
                 close(sd);
                 return -1;
             }
@@ -766,15 +762,16 @@
              */
 
             socks5auth.ver = 1;
-            socks5auth.data[0] = strlen(username);
-            memcpy(socks5auth.data+1,username,strlen(username));
-            len = 2 + strlen(username); // (version + strlen) + username
+            authlen = 0;
+            socks5auth.data[authlen++] = ulen;
+            memcpy(socks5auth.data + authlen, uptr, ulen);
+            authlen += ulen;
 
-            socks5auth.data[len-1]=strlen(password);
-            memcpy(socks5auth.data+len,password,strlen(password));
-            len += 1 + strlen(password);
+            socks5auth.data[authlen++] = plen;
+            memcpy(socks5auth.data + authlen, pptr, plen);
+            authlen += plen;
 
-            if (send(sd, (char *) &socks5auth, len, 0) < 0) {
+            if (send(sd, (char *) &socks5auth, offsetof(struct socks5_auth, data) + authlen, 0) < 0) {
                 loguser("Error: sending proxy authentication.\n");
                 close(sd);
                 return -1;
@@ -794,8 +791,14 @@
 
             break;
 
+        case SOCKS5_AUTH_FAILED:
+            loguser("Error: no acceptable authentication method proposed.\n");
+            close(sd);
+            return -1;
+
         default:
-            loguser("Error - can't choose any authentication method.\n");
+            /* Proxy must not select a method not offered by the client */
+            loguser("Error: proxy selected invalid authentication method.\n");
             close(sd);
             return -1;
     }
@@ -832,6 +835,10 @@
             socks5msg2.dst[0]=lenfqdn;
             memcpy(socks5msg2.dst+1,o.target,lenfqdn);
             len = 1 + lenfqdn;
+            break;
+
+        default: // this shall not happen
+            ncat_assert(0);
     }
 
     memcpy(socks5msg2.dst+len, &proxyport, sizeof(proxyport));