Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Unbounded memory use in drda-info
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 9 May 2011 17:54:50 +0200


On May 9, 2011, at 5:05 AM, Sebastian Dragomir wrote:

I found that the problem originates in drda.lua, lines 271-275.
Script gets stuck in this loop forever because "data" is less than 4
characters so "pos" will always be -1 due to line 323.
This is because recv does not read all the needed bytes on line 255 due to
the EOF.

Thanks Sebastian. I will look at the patch later tonight.
Unfortunately that piece of code (my buffered socket class) is duplicated into 7 other libraries which will all need 
patching.
I should have probably factored it out to a single library a long time ago. David, should I do so at the same time I 
fix this, and if so what should I name the library?
I would of course prefer being able to call receive_bytes directly with the exact number of bytes to read, rather than 
the minimum.
I know this has been discussed in the past [1] but I'm not certain about the current status.


receive_bytes does not seem to guarantee it will return a minimum n bytes
even though the wording in its documentation might suggest so.
It sets NSE_STATUS_SUCCESS even when not all bytes have been received in
nsock/src/nsock_core.c line 736, which may or may not be intended for
receive_bytes.

Here is a patch for drda.lua.



Thanks,
Sebastian



[1] http://seclists.org/nmap-dev/2010/q3/709

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault