Nmap Development: Re: [PATCH] Experimental SCTP scan support

[Daniel Roethlisberger <daniel () roe ch>]

doug () hcsw org <doug () hcsw org> 2009-01-03:
> On Sat, Jan 03, 2009 at 03:48:09AM -0600 or thereabouts, Kris Katterjohn wrote:
> ...
> > *** buffer overflow detected ***: ./nmap terminated
> > ======= Backtrace: =========
> > /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c44558]
> > /lib/tls/i686/cmov/libc.so.6[0xb7c42680]
> > /lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7c41944]
> > ./nmap(_Z15printportoutputP6TargetP8PortList+0x639)[0x8083569]
> > ./nmap(_Z9nmap_mainiPPc+0x2099)[0x8061ea9]
> > ./nmap(main+0x1e4)[0x805cdc4]
> > /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7b60685]
> > ./nmap[0x805cb11]
> [...]
> In this case, gcc has placed run-time checks on strcpy() invocations,
> one of which I think is triggered by the following part of the patch:
>
> -     strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp");
> +     strcpy(protocol, IPPROTO2STR(current->proto));
>
> This is in the function printportoutput() in output.cc. Looks
> to me like the problem is that protocol[] is defined as such:
>
>   char protocol[4];
>
> so "sctp\0" is one too many to fit into this buffer.
Thanks.  That's now

  char protocol[MAX_IPPROTOSTRLEN+1];

in my sources.  I expect there to be more bugs, especially in
combination with things like scripting, XML etc., so please keep
on trying to break it :-)

Updated patchset:

http://daniel.roe.ch/code/nmap/nmap+sctp-20090103-r11609-initscan.diff
http://daniel.roe.ch/code/nmap/nbase+sctp-20090103-r11609-initscan.diff

-- 
Daniel Roethlisberger
http://daniel.roe.ch/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org