From: Ross L Richardson <openbsd@rlr.id.au>
Subject: [Patch] Fix nc(1) option parsing for "-T"
To: tech@openbsd.org
Date: Wed, 14 May 2025 18:28:01 +1000
Reply-To: tech@openbsd.org

nc(1) handling of option arguments for "-T" is suboptimal for arguments
which are _not_ of the form "key=value".  There is no check that nothing
follows the keyword:

$ nc -c -T muststaple openbsd.org https
nc: tls handshake failed (no stapled OCSP response provided)
$ nc -c -T muststaple= openbsd.org https
nc: tls handshake failed (no stapled OCSP response provided)
$ nc -c -T muststaple=NBG openbsd.org https
nc: tls handshake failed (no stapled OCSP response provided)
:

The patch below provides one way to correct the deficiency.

Ross

========
Index: netcat.c
===================================================================
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
diff -u -p -r1.229 netcat.c
--- netcat.c	2 Nov 2024 17:19:27 -0000	1.229
+++ netcat.c	14 May 2025 08:23:05 -0000
@@ -1692,6 +1692,8 @@ process_tls_opt(char *s, int *flags)
 					errx(1, "invalid tls value `%s'", s);
 				*t->value = v;
 			} else {
+				if (v != NULL)
+					errx(1, "invalid tls value `%s'", s);
 				*flags |= t->flag;
 			}
 			return 1;