Fix out-of-bounds reads. Closes #2954

2025-12-06 04:31:29 +00:00 · 2025-02-27 16:42:05 +00:00
parent d0a94ce3a9
commit 068dd4b0df
3 changed files with 9 additions and 2 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-

+o [GH#2954] Fix 2 potential crashes in parsing IPv6 extension headers
+  discovered using AFL++ fuzzer. [Domen Puncer Kugler, Daniel Miller]
+
 o [Nping] Bind raw socket to device when possible. This was already done for
  IPv6, but was needed for IPv4 L3 tunnels. [ValdikSS]

--- a/libnetutil/HopByHopHeader.cc
+++ b/libnetutil/HopByHopHeader.cc
@@ -169,7 +169,7 @@ int HopByHopHeader::validate(){
        +-+-+-+-+-+-+-+-+  */
        case EXTOPT_PAD1:
          curr_pnt++; /* Skip one octet */
-          bytes_left++;
+          bytes_left--;
        break;

        /* PadN
--- a/libnetutil/PacketParser.cc
+++ b/libnetutil/PacketParser.cc
@@ -572,6 +572,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in
                    }else{
                        finished=true;
                    }
+                    continue;
                  }
                }
              }
@@ -591,7 +592,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in

  /* If we couldn't validate some header, treat that header and any remaining
   * data, as raw application data. */
-  if (unknown_hdr==true){
+  if (unknown_hdr==true && current_header < MAX_HEADERS_IN_PACKET) {
    if(curr_pktlen>0){
        if(PKTPARSERDEBUG)puts("Unknown layer found. Treating it as raw data.");
        this_packet[current_header].length=curr_pktlen;
@@ -599,6 +600,9 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in
    }
  }

+  /* Ensure the sentinel value is correct: */
+  assert(current_header <= MAX_HEADERS_IN_PACKET);
+  this_packet[current_header].length = 0;
  return this_packet;
 } /* End of parse_received_packet() */