From fe4784a6d15ad8c8009fee5b504815420848a38a Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 10 Jun 2017 18:14:10 +0000 Subject: [PATCH] If -P and -c were given, a second pledge call tried to add "rpath" to the first pledge promises, so nc exited with EPERM. To fix this, merge the pledge of the Pflag && usetls case into the first pledge block. This allows us to get rid of the second pledge block and thus to simplify the logic a bit. While there, add a missing blank to an error string. Joint effort by the #openbsd-daily code reading group, problem found and initial patch by . ok awolk --- usr.bin/nc/netcat.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index 41abc8de21a..bb868d7e598 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.183 2017/05/26 16:05:35 bluhm Exp $ */ +/* $OpenBSD: netcat.c,v 1.184 2017/06/10 18:14:10 tb Exp $ */ /* * Copyright (c) 2001 Eric Jackson * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -355,6 +355,9 @@ main(int argc, char *argv[]) err(1, "pledge"); } else if (pledge("stdio inet dns sendfd", NULL) == -1) err(1, "pledge"); + } else if (Pflag && usetls) { + if (pledge("stdio rpath inet dns tty", NULL) == -1) + err(1, "pledge"); } else if (Pflag) { if (pledge("stdio inet dns tty", NULL) == -1) err(1, "pledge"); @@ -478,12 +481,6 @@ main(int argc, char *argv[]) } if (usetls) { - if (Pflag) { - if (pledge("stdio inet dns tty rpath", NULL) == -1) - err(1, "pledge"); - } else if (pledge("stdio inet dns rpath", NULL) == -1) - err(1, "pledge"); - if (tls_init() == -1) errx(1, "unable to initialize TLS"); if ((tls_cfg = tls_config_new()) == NULL) @@ -510,7 +507,7 @@ main(int argc, char *argv[]) if (TLSopt & TLS_NOVERIFY) { if (tls_expecthash != NULL) errx(1, "-H and -T noverify may not be used" - "together"); + " together"); tls_config_insecure_noverifycert(tls_cfg); } if (TLSopt & TLS_MUSTSTAPLE) -- 2.20.1