Hello, I found a bug for ConnectionSOCKS5Proxy::negotiate()
see the line with "//***************** BUG x " and NOTE
void ConnectionSOCKS5Proxy::negotiate()
{
m_s5state = S5StateNegotiating;
char *d = new char[m_ip ? 10 : 6 + m_server.length() + 1];
//**************** BUG 1
int pos = 0;
d[pos++] = 0x05; // SOCKS version 5
d[pos++] = 0x01; // command CONNECT
d[pos++] = 0x00; // reserved
int port = m_port;
std::string server = m_server;
if( m_ip ) // IP address
{
d[pos++] = 0x01; // IPv4 address
std::string s;
int j = server.length();
int l = 0;
for( int k = 0; k < j && l < 4; ++k )
{
if( server[k] != '.' )
s += server[k];
if( server[k] == '.' || k == j-1 )
{
d[pos++] = atoi( s.c_str() ) & 0x0FF;
s = "";
++l;
}
}
}
else // hostname
{
if( port == -1 )
{
DNS::HostMap servers = DNS::resolve( m_server, m_logInstance );
if( servers.size() )
{
server = (*(servers.begin())).first;
port = (*(servers.begin())).second;
}
}
d[pos++] = 0x03; // hostname
d[pos++] = m_server.length(); //************* BUG 2
strncpy( d + pos, m_server.c_str(), m_server.length() ); //**************
BUG 3
pos += m_server.length(); //******************* BUG 4
}
int nport = htons( port );
d[pos++] = nport;
d[pos++] = nport >> 8;
#ifndef _WIN32_WCE
std::ostringstream oss;
oss << "requesting socks5 proxy connection to " << server << ":" << port;
m_logInstance.log( LogLevelDebug, LogAreaClassConnectionSOCKS5Proxy,
oss.str() );
#endif
if( !send( std::string( d, pos ) ) )
{
cleanup();
m_handler->handleDisconnect( this, ConnIoError );
}
delete[] d;
}
/********************** NOTE ******************************
BUG 1 :char *d = new char[m_ip ? 10 : 6 + m_server.length() + 1];
if "m_ip == false" and "m_port == -1 " and "m_server" is a domain ,
then the "hostname" filled in buf "d" will be "server" instead of
"m_server",
so perhaps "server.length() > m_server.length()", this will cause buffer
overflow;
BUG 2 , BUG 3 and BUG 4:
All "m_server" need instead by "server"
*/