diff options
| author | tb <> | 2017-06-10 18:14:10 +0000 |
|---|---|---|
| committer | tb <> | 2017-06-10 18:14:10 +0000 |
| commit | 1c17fdf7e8d2fdb96c9bb25c504c1bf0f3be384a (patch) | |
| tree | fde10ac3ceb247983bb8cd5f8bab7f2f6eb8e57f /src | |
| parent | 0872767118dfebd4e7983c033acce9a8f14cb145 (diff) | |
| download | openbsd-1c17fdf7e8d2fdb96c9bb25c504c1bf0f3be384a.tar.gz openbsd-1c17fdf7e8d2fdb96c9bb25c504c1bf0f3be384a.tar.bz2 openbsd-1c17fdf7e8d2fdb96c9bb25c504c1bf0f3be384a.zip | |
If -P and -c were given, a second pledge call tried to add "rpath" to the
first pledge promises, so nc exited with EPERM. To fix this, merge the
pledge of the Pflag && usetls case into the first pledge block. This
allows us to get rid of the second pledge block and thus to simplify the
logic a bit. While there, add a missing blank to an error string.
Joint effort by the #openbsd-daily code reading group, problem found and
initial patch by <rain1 openmailbox org>.
ok awolk
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 41abc8de21..bb868d7e59 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.183 2017/05/26 16:05:35 bluhm Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.184 2017/06/10 18:14:10 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -355,6 +355,9 @@ main(int argc, char *argv[]) | |||
| 355 | err(1, "pledge"); | 355 | err(1, "pledge"); |
| 356 | } else if (pledge("stdio inet dns sendfd", NULL) == -1) | 356 | } else if (pledge("stdio inet dns sendfd", NULL) == -1) |
| 357 | err(1, "pledge"); | 357 | err(1, "pledge"); |
| 358 | } else if (Pflag && usetls) { | ||
| 359 | if (pledge("stdio rpath inet dns tty", NULL) == -1) | ||
| 360 | err(1, "pledge"); | ||
| 358 | } else if (Pflag) { | 361 | } else if (Pflag) { |
| 359 | if (pledge("stdio inet dns tty", NULL) == -1) | 362 | if (pledge("stdio inet dns tty", NULL) == -1) |
| 360 | err(1, "pledge"); | 363 | err(1, "pledge"); |
| @@ -478,12 +481,6 @@ main(int argc, char *argv[]) | |||
| 478 | } | 481 | } |
| 479 | 482 | ||
| 480 | if (usetls) { | 483 | if (usetls) { |
| 481 | if (Pflag) { | ||
| 482 | if (pledge("stdio inet dns tty rpath", NULL) == -1) | ||
| 483 | err(1, "pledge"); | ||
| 484 | } else if (pledge("stdio inet dns rpath", NULL) == -1) | ||
| 485 | err(1, "pledge"); | ||
| 486 | |||
| 487 | if (tls_init() == -1) | 484 | if (tls_init() == -1) |
| 488 | errx(1, "unable to initialize TLS"); | 485 | errx(1, "unable to initialize TLS"); |
| 489 | if ((tls_cfg = tls_config_new()) == NULL) | 486 | if ((tls_cfg = tls_config_new()) == NULL) |
| @@ -510,7 +507,7 @@ main(int argc, char *argv[]) | |||
| 510 | if (TLSopt & TLS_NOVERIFY) { | 507 | if (TLSopt & TLS_NOVERIFY) { |
| 511 | if (tls_expecthash != NULL) | 508 | if (tls_expecthash != NULL) |
| 512 | errx(1, "-H and -T noverify may not be used" | 509 | errx(1, "-H and -T noverify may not be used" |
| 513 | "together"); | 510 | " together"); |
| 514 | tls_config_insecure_noverifycert(tls_cfg); | 511 | tls_config_insecure_noverifycert(tls_cfg); |
| 515 | } | 512 | } |
| 516 | if (TLSopt & TLS_MUSTSTAPLE) | 513 | if (TLSopt & TLS_MUSTSTAPLE) |