On Sun, Sep 30, 2018 at 11:55:58AM +0800, Nan Xiao wrote:
> The following patch fixed the resource leak when netcat works as a TLS
> server. Sorry if I am wrong, thanks!
There is another tls leak on the client side after
if (s == -1)
continue;
To fix both I would do the tls_free() after close() consistently.
bluhm
Index: usr.bin/nc/netcat.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.194
diff -u -p -r1.194 netcat.c
--- usr.bin/nc/netcat.c 7 Sep 2018 09:55:29 -0000 1.194
+++ usr.bin/nc/netcat.c 2 Oct 2018 00:35:03 -0000
@@ -543,8 +543,6 @@ main(int argc, char *argv[])
err(1, "pledge");
}
if (lflag) {
- struct tls *tls_cctx = NULL;
- int connfd;
ret = 0;
if (family == AF_UNIX) {
@@ -603,6 +601,9 @@ main(int argc, char *argv[])
readwrite(s, NULL);
} else {
+ struct tls *tls_cctx = NULL;
+ int connfd;
+
len = sizeof(cliaddr);
connfd = accept4(s, (struct sockaddr *)&cliaddr,
&len, SOCK_NONBLOCK);
@@ -618,12 +619,10 @@ main(int argc, char *argv[])
readwrite(connfd, tls_cctx);
if (!usetls)
readwrite(connfd, NULL);
- if (tls_cctx) {
+ if (tls_cctx)
timeout_tls(s, tls_cctx, tls_close);
- tls_free(tls_cctx);
- tls_cctx = NULL;
- }
close(connfd);
+ tls_free(tls_cctx);
}
if (family == AF_UNIX && uflag) {
if (connect(s, NULL, 0) < 0)
@@ -657,6 +656,8 @@ main(int argc, char *argv[])
for (s = -1, i = 0; portlist[i] != NULL; i++) {
if (s != -1)
close(s);
+ tls_free(tls_ctx);
+ tls_ctx = NULL;
if (usetls) {
if ((tls_ctx = tls_client()) == NULL)
@@ -707,18 +708,15 @@ main(int argc, char *argv[])
tls_setup_client(tls_ctx, s, host);
if (!zflag)
readwrite(s, tls_ctx);
- if (tls_ctx) {
+ if (tls_ctx)
timeout_tls(s, tls_ctx, tls_close);
- tls_free(tls_ctx);
- tls_ctx = NULL;
- }
}
}
}
if (s != -1)
close(s);
-
+ tls_free(tls_ctx);
tls_config_free(tls_cfg);
return ret;
