Nmap Development mailing list archives
Re: [PATCH] Experimental SCTP scan support
From: Daniel Roethlisberger <daniel () roe ch>
Date: Sat, 3 Jan 2009 13:32:10 +0100
doug () hcsw org <doug () hcsw org> 2009-01-03:
On Sat, Jan 03, 2009 at 03:48:09AM -0600 or thereabouts, Kris Katterjohn wrote: ...*** buffer overflow detected ***: ./nmap terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c44558] /lib/tls/i686/cmov/libc.so.6[0xb7c42680] /lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7c41944] ./nmap(_Z15printportoutputP6TargetP8PortList+0x639)[0x8083569] ./nmap(_Z9nmap_mainiPPc+0x2099)[0x8061ea9] ./nmap(main+0x1e4)[0x805cdc4] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7b60685] ./nmap[0x805cb11][...] In this case, gcc has placed run-time checks on strcpy() invocations, one of which I think is triggered by the following part of the patch: - strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp"); + strcpy(protocol, IPPROTO2STR(current->proto)); This is in the function printportoutput() in output.cc. Looks to me like the problem is that protocol[] is defined as such: char protocol[4]; so "sctp\0" is one too many to fit into this buffer.
Thanks. That's now char protocol[MAX_IPPROTOSTRLEN+1]; in my sources. I expect there to be more bugs, especially in combination with things like scripting, XML etc., so please keep on trying to break it :-) Updated patchset: http://daniel.roe.ch/code/nmap/nmap+sctp-20090103-r11609-initscan.diff http://daniel.roe.ch/code/nmap/nbase+sctp-20090103-r11609-initscan.diff -- Daniel Roethlisberger http://daniel.roe.ch/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 02)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 02)
- Re: [PATCH] Experimental SCTP scan support Kris Katterjohn (Jan 02)
- Re: [PATCH] Experimental SCTP scan support Kris Katterjohn (Jan 03)
- Re: [PATCH] Experimental SCTP scan support doug (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Fyodor (Jan 04)
- Re: [PATCH] Experimental SCTP scan support doug (Jan 04)
- _FORTIFY_SOURCE=2 David Fifield (Jan 22)
- Re: _FORTIFY_SOURCE=2 David Fifield (Feb 14)
- Re: [PATCH] Experimental SCTP scan support doug (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Kris Katterjohn (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)
- Re: [PATCH] Experimental SCTP scan support Daniel Roethlisberger (Jan 03)