diff --git a/CHANGELOG b/CHANGELOG index f1d92873c..90a4c7ef5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ #Nmap Changelog ($Id$); -*-text-*- +o [GH#2954] Fix 2 potential crashes in parsing IPv6 extension headers + discovered using AFL++ fuzzer. [Domen Puncer Kugler, Daniel Miller] + o [Nping] Bind raw socket to device when possible. This was already done for IPv6, but was needed for IPv4 L3 tunnels. [ValdikSS] diff --git a/libnetutil/HopByHopHeader.cc b/libnetutil/HopByHopHeader.cc index 8186a0b77..211bdbe7a 100644 --- a/libnetutil/HopByHopHeader.cc +++ b/libnetutil/HopByHopHeader.cc @@ -169,7 +169,7 @@ int HopByHopHeader::validate(){ +-+-+-+-+-+-+-+-+ */ case EXTOPT_PAD1: curr_pnt++; /* Skip one octet */ - bytes_left++; + bytes_left--; break; /* PadN diff --git a/libnetutil/PacketParser.cc b/libnetutil/PacketParser.cc index b9dadc9c1..a38001ba1 100644 --- a/libnetutil/PacketParser.cc +++ b/libnetutil/PacketParser.cc @@ -572,6 +572,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in }else{ finished=true; } + continue; } } } @@ -591,7 +592,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in /* If we couldn't validate some header, treat that header and any remaining * data, as raw application data. */ - if (unknown_hdr==true){ + if (unknown_hdr==true && current_header < MAX_HEADERS_IN_PACKET) { if(curr_pktlen>0){ if(PKTPARSERDEBUG)puts("Unknown layer found. Treating it as raw data."); this_packet[current_header].length=curr_pktlen; @@ -599,6 +600,9 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in } } + /* Ensure the sentinel value is correct: */ + assert(current_header <= MAX_HEADERS_IN_PACKET); + this_packet[current_header].length = 0; return this_packet; } /* End of parse_received_packet() */