PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Fix a reported 1-byte overflow

Browse Source
This commit is contained in:
dmiller
2025-07-05 00:06:58 +00:00
parent 459c3c69fe
commit 0945b9bd0b
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -1,5 +1,9 @@
#Nmap Changelog ($Id$); -*-text-*- #Nmap Changelog ($Id$); -*-text-*-
o Fixed an issue in FTP bounce scan where a single null byte is written past
the end of the receive buffer. The issue is triggered by a malicious server
but does not cause a crash with default builds. [Tyler Zars]
o [GH#3130] Fix a crash (stack overflow due to excessive recursion) in the o [GH#3130] Fix a crash (stack overflow due to excessive recursion) in the
parallel DNS resolver. Additionally, improved performance by processing parallel DNS resolver. Additionally, improved performance by processing
responses that come after the request has timed out. [Daniel Miller] responses that come after the request has timed out. [Daniel Miller]

10
nmap_ftp.cc
View File

@@ -263,7 +263,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
return; return;
} }
} else { /* Our send is good */ } else { /* Our send is good */
res = recvtime(sd, recvbuf, 2048, 15, NULL); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 15, NULL);
if (res <= 0) { if (res <= 0) {
perror("recv problem from FTP bounce server"); perror("recv problem from FTP bounce server");
} else { /* our recv is good */ } else { /* our recv is good */
@@ -286,7 +286,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
privok = true; privok = true;
} }
if (send(sd, "LIST\r\n", 6, 0) > 0 ) { if (send(sd, "LIST\r\n", 6, 0) > 0 ) {
res = recvtime(sd, recvbuf, 2048, 12, &timedout); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 12, &timedout);
if (res < 0) { if (res < 0) {
perror("recv problem from FTP bounce server"); perror("recv problem from FTP bounce server");
} else if (res == 0) { } else if (res == 0) {
@@ -302,10 +302,10 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
/* oh dear, we are not aligned properly */ /* oh dear, we are not aligned properly */
if (o.verbose || o.debugging) if (o.verbose || o.debugging)
error("FTP command misalignment detected ... correcting."); error("FTP command misalignment detected ... correcting.");
res = recvtime(sd, recvbuf, 2048, 10, NULL); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, NULL);
} }
if (recvbuf[0] == '1') { if (recvbuf[0] == '1') {
res = recvtime(sd, recvbuf, 2048, 10, &timedout); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
if (res < 0) if (res < 0)
perror("recv problem from FTP bounce server"); perror("recv problem from FTP bounce server");
else if (timedout || res == 0) { else if (timedout || res == 0) {
@@ -314,7 +314,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
target->ports.setPortState(portarray[i], IPPROTO_TCP, PORT_FILTERED); target->ports.setPortState(portarray[i], IPPROTO_TCP, PORT_FILTERED);
} }
// Get response and discard // Get response and discard
res = recvtime(sd, recvbuf, 2048, 10, &timedout); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1, 10, &timedout);
recvbuf[0] = '\0'; recvbuf[0] = '\0';
goto nextport; goto nextport;
} }