Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] Experimental SCTP scan support

From: Daniel Roethlisberger <daniel () roe ch>
Date: Sat, 3 Jan 2009 13:32:10 +0100
doug () hcsw org <doug () hcsw org> 2009-01-03:

On Sat, Jan 03, 2009 at 03:48:09AM -0600 or thereabouts, Kris Katterjohn wrote:
...

*** buffer overflow detected ***: ./nmap terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c44558]
/lib/tls/i686/cmov/libc.so.6[0xb7c42680]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7c41944]
./nmap(_Z15printportoutputP6TargetP8PortList+0x639)[0x8083569]
./nmap(_Z9nmap_mainiPPc+0x2099)[0x8061ea9]
./nmap(main+0x1e4)[0x805cdc4]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7b60685]
./nmap[0x805cb11]

[...]
In this case, gcc has placed run-time checks on strcpy() invocations,
one of which I think is triggered by the following part of the patch:

-     strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp");
+     strcpy(protocol, IPPROTO2STR(current->proto));

This is in the function printportoutput() in output.cc. Looks
to me like the problem is that protocol[] is defined as such:

  char protocol[4];

so "sctp\0" is one too many to fit into this buffer.


Thanks.  That's now

  char protocol[MAX_IPPROTOSTRLEN+1];

in my sources.  I expect there to be more bugs, especially in
combination with things like scripting, XML etc., so please keep
on trying to break it :-)

Updated patchset:

http://daniel.roe.ch/code/nmap/nmap+sctp-20090103-r11609-initscan.diff
http://daniel.roe.ch/code/nmap/nbase+sctp-20090103-r11609-initscan.diff

-- 
Daniel Roethlisberger
http://daniel.roe.ch/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: