From nobody@FreeBSD.org  Wed Feb 20 03:09:31 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id A7D3EFF
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 03:09:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 82965BF9
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 03:09:31 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r1K39Vb3054616
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Feb 2013 03:09:31 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r1K39VZ6054615;
	Wed, 20 Feb 2013 03:09:31 GMT
	(envelope-from nobody)
Message-Id: <201302200309.r1K39VZ6054615@red.freebsd.org>
Date: Wed, 20 Feb 2013 03:09:31 GMT
From: Paul Koch <paul.koch137@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /usr/bin/nc (netcat) incorrectly passes telnet option data through
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         176278
>Category:       bin
>Synopsis:       [patch] nc(1) incorrectly passes telnet option data through
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 20 03:10:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Wed Feb 20 05:48:02 UTC 2013
>Originator:     Paul Koch
>Release:        9.1
>Organization:
>Environment:
FreeBSD xxxxx 9.1-STABLE FreeBSD 9.1-STABLE #0 r246099: Thu Jan 31 08:47:47 EST 2013 
>Description:
Run /usr/bin/nc -t {ip} 23

Garbage characters appear in output.

Run /usr/bin/nc -t {ip 23 | hexdump -C

This will show something like the following at the start:

 ff fd 25 ff fb 26 ff fd ...

The ff fd xx are telnet options which should be stripped from the output.

Telnet options can occur pretty much at any time during the session, so
garbage chars will probably also appear in other places of the output.
>How-To-Repeat:
Run nc command as above.
>Fix:
The telnet command opt processing in netcat.c is fairly crude.
Strip the telnet options from the output buffer.



Patch attached with submission follows:

--- netcat.c	2013-02-20 12:46:17.000000000 +1000
+++ netcat.c.orig	2013-02-20 13:03:50.000000000 +1000
@@ -25,7 +25,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $FreeBSD: stable/9/contrib/netcat/netcat.c 243818 2012-12-03 18:26:23Z delphij $
+ * $FreeBSD$
  */
 
 /*
@@ -100,7 +100,7 @@
 char *portlist[PORT_MAX+1];
 char *unix_dg_tmp_socket;
 
-int	atelnet(int, unsigned char *, unsigned int);
+void	atelnet(int, unsigned char *, unsigned int);
 void	build_ports(char *);
 void	help(void);
 int	local_listen(char *, char *, struct addrinfo);
@@ -823,7 +823,7 @@
 				pfd[0].events = 0;
 			} else {
 				if (tflag)
-					n = atelnet(nfd, buf, n);
+					atelnet(nfd, buf, n);
 				if (atomicio(vwrite, lfd, buf, n) != n)
 					return;
 			}
@@ -845,23 +845,20 @@
 }
 
 /* Deal with RFC 854 WILL/WONT DO/DONT negotiation. */
-int
+void
 atelnet(int nfd, unsigned char *buf, unsigned int size)
 {
-	unsigned char *p, *q, *end;
+	unsigned char *p, *end;
 	unsigned char obuf[4];
-        int compact = 0;
 
 	if (size < 3)
-		return size;
+		return;
 	end = buf + size - 2;
 
 	for (p = buf; p < end; p++) {
 		if (*p != IAC)
 			continue;
 
-                compact = 1;
-
 		obuf[0] = IAC;
 		p++;
 		if ((*p == WILL) || (*p == WONT))
@@ -876,20 +873,6 @@
 		if (atomicio(vwrite, nfd, obuf, 3) != 3)
 			warn("Write Error!");
 	}
-
-        if (compact) {
-                p = q = buf;
-                end = buf + size;
-                while (p < end) {
-                        if (*p == IAC)
-                                p += 3;  /* skip over telnet opt */
-                        else
-                                *q++ = *p++;
-                }
-                size = q - buf;
-        }
-
-        return size;
 }
 
 /*


>Release-Note:
>Audit-Trail:
>Unformatted:
