PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Fix a reported 1-byte overflow

Browse Source
This commit is contained in:
dmiller
2025-07-05 00:06:58 +00:00
parent 459c3c69fe
commit 0945b9bd0b
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -1,5 +1,9 @@
#Nmap Changelog ($Id$); -*-text-*-
o Fixed an issue in FTP bounce scan where a single null byte is written past
the end of the receive buffer. The issue is triggered by a malicious server
but does not cause a crash with default builds. [Tyler Zars]
o [GH#3130] Fix a crash (stack overflow due to excessive recursion) in the
parallel DNS resolver. Additionally, improved performance by processing
responses that come after the request has timed out. [Daniel Miller]

10
nmap_ftp.cc
View File

@@ -263,7 +263,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
return;
}
} else { /* Our send is good */
res = recvtime(sd, recvbuf, 2048, 15, NULL);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 15, NULL);
if (res <= 0) {
perror("recv problem from FTP bounce server");
} else { /* our recv is good */
@@ -286,7 +286,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
privok = true;
}
if (send(sd, "LIST\r\n", 6, 0) > 0 ) {
res = recvtime(sd, recvbuf, 2048, 12, &timedout);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 12, &timedout);
if (res < 0) {
perror("recv problem from FTP bounce server");
} else if (res == 0) {
@@ -302,10 +302,10 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
/* oh dear, we are not aligned properly */
if (o.verbose || o.debugging)
error("FTP command misalignment detected ... correcting.");
res = recvtime(sd, recvbuf, 2048, 10, NULL);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, NULL);
}
if (recvbuf[0] == '1') {
res = recvtime(sd, recvbuf, 2048, 10, &timedout);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
if (res < 0)
perror("recv problem from FTP bounce server");
else if (timedout || res == 0) {
@@ -314,7 +314,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
target->ports.setPortState(portarray[i], IPPROTO_TCP, PORT_FILTERED);
}
// Get response and discard
res = recvtime(sd, recvbuf, 2048, 10, &timedout);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
recvbuf[0] = '\0';
goto nextport;
}