From 1d5f68a0808c0be12e96dd5146bc2842a2ee1cba Mon Sep 17 00:00:00 2001 From: david Date: Wed, 8 Jul 2009 23:09:35 +0000 Subject: [PATCH] Remove a bogus leftover use of a valid pointer as a throwaway variable in getinterfaces. This was the cause of an overlapping memcpy reported at http://seclists.org/nmap-dev/2009/q2/0713.html. In the code, sin is a pointer that holds the address of the IP address configured for an interface. It is copied into a tmpifr.ifr_addr before each ioctl, perhaps because that is required on some platforms even though on Linux only ifr_name is needed by the ioctl. When the ioctl returns, it overwrites whatever was in ifr_addr because that member is in a union, so sin is kept in order to restore the address again before the next ioctl. In the code that handles SIOCGIFNETMASK, sin was mistakenly used as a temporary pointer and redirected to &tmpifr.ifr_addr. This caused all future memcpys before ioctl to copy tmpifr.ifr_addr to itself, rather than copying in the IP address of the interface. The throwaway sin assignment was not even used; the code that used it was modified in r2751. So now we just keep sin pointing where it should the whole time. --- tcpip.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tcpip.cc b/tcpip.cc index 5f3a3e836..9b43e466f 100644 --- a/tcpip.cc +++ b/tcpip.cc @@ -2995,7 +2995,8 @@ static struct interface_info *getinterfaces_siocgifconf(int *howmany) { else if (rc < 0) mydevs[numifaces].netmask_bits = 32; else { - sin = (struct sockaddr_in *) &(tmpifr.ifr_addr); /* ifr_netmask only on Linux */ + /* We would use ifr_netmask, but that's only on Linux, so use ifr_addr + which shares the same memory space in a union. */ addr_stob(&(tmpifr.ifr_addr), &mydevs[numifaces].netmask_bits); }