PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 21:21:31 +00:00
Code Issues Projects Releases Wiki Activity

Fix out-of-bounds reads. Closes #2954

Browse Source
This commit is contained in:
dmiller
2025-02-27 16:42:05 +00:00
parent d0a94ce3a9
commit 068dd4b0df
3 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
#Nmap Changelog ($Id$); -*-text-*- #Nmap Changelog ($Id$); -*-text-*-
o [GH#2954] Fix 2 potential crashes in parsing IPv6 extension headers
discovered using AFL++ fuzzer. [Domen Puncer Kugler, Daniel Miller]
o [Nping] Bind raw socket to device when possible. This was already done for o [Nping] Bind raw socket to device when possible. This was already done for
IPv6, but was needed for IPv4 L3 tunnels. [ValdikSS] IPv6, but was needed for IPv4 L3 tunnels. [ValdikSS]

2
libnetutil/HopByHopHeader.cc
View File

@@ -169,7 +169,7 @@ int HopByHopHeader::validate(){
+-+-+-+-+-+-+-+-+ */ +-+-+-+-+-+-+-+-+ */
case EXTOPT_PAD1: case EXTOPT_PAD1:
curr_pnt++; /* Skip one octet */ curr_pnt++; /* Skip one octet */
bytes_left++; bytes_left--;
break; break;
/* PadN /* PadN

6
libnetutil/PacketParser.cc
View File

@@ -572,6 +572,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in
}else{ }else{
finished=true; finished=true;
} }
continue;
} }
} }
} }
@@ -591,7 +592,7 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in
/* If we couldn't validate some header, treat that header and any remaining /* If we couldn't validate some header, treat that header and any remaining
* data, as raw application data. */ * data, as raw application data. */
if (unknown_hdr==true){ if (unknown_hdr==true && current_header < MAX_HEADERS_IN_PACKET) {
if(curr_pktlen>0){ if(curr_pktlen>0){
if(PKTPARSERDEBUG)puts("Unknown layer found. Treating it as raw data."); if(PKTPARSERDEBUG)puts("Unknown layer found. Treating it as raw data.");
this_packet[current_header].length=curr_pktlen; this_packet[current_header].length=curr_pktlen;
@@ -599,6 +600,9 @@ pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_in
} }
} }
/* Ensure the sentinel value is correct: */
assert(current_header <= MAX_HEADERS_IN_PACKET);
this_packet[current_header].length = 0;
return this_packet; return this_packet;
} /* End of parse_received_packet() */ } /* End of parse_received_packet() */