mirror of
https://github.com/nmap/nmap.git
synced 2025-12-17 21:19:01 +00:00
o Fixed a bug in the IP validation code which would have let a specially
crafted reply sent from a host on the same LAN slip through and cause Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for the very detailed bug report. [Kris]
This commit is contained in:
kris
@@ -1,5 +1,10 @@
|
|||||||
# Nmap Changelog ($Id$); -*-text-*-
|
# Nmap Changelog ($Id$); -*-text-*-
|
||||||
|
|
||||||
|
o Fixed a bug in the IP validation code which would have let a specially
|
||||||
|
crafted reply sent from a host on the same LAN slip through and cause
|
||||||
|
Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
|
||||||
|
the very detailed bug report. [Kris]
|
||||||
|
|
||||||
o [Zenmap] The crash reporter is more respectful of user privacy. It
|
o [Zenmap] The crash reporter is more respectful of user privacy. It
|
||||||
shows all the information that will be submitted so you can edit it
|
shows all the information that will be submitted so you can edit it
|
||||||
to remove identifying information such as the name of your home
|
to remove identifying information such as the name of your home
|
||||||
|
|||||||
14
tcpip.cc
14
tcpip.cc
@@ -1947,9 +1947,11 @@ static bool validateTCPhdr(u8 *tcpc, unsigned len)
|
|||||||
*
|
*
|
||||||
* Checking the IP total length (iplen) to see if its at least as large as the
|
* Checking the IP total length (iplen) to see if its at least as large as the
|
||||||
* number of bytes read (len) does not work because things like the Ethernet
|
* number of bytes read (len) does not work because things like the Ethernet
|
||||||
* CRC also get captured and are counted in len. Therefore, after the IP total
|
* CRC also get captured and are counted in len. However, since the IP total
|
||||||
* length is considered reasonable, iplen is used instead of len. readip_pcap
|
* length field can't be trusted, we use len instead of iplen when doing any
|
||||||
* fixes the length on it's end after this is validated.
|
* further checks on lengths. readip_pcap fixes the length on it's end if we
|
||||||
|
* read more than the IP header says we should have so as to not pass garbage
|
||||||
|
* data to the caller.
|
||||||
*/
|
*/
|
||||||
static bool validatepkt(u8 *ipc, unsigned len)
|
static bool validatepkt(u8 *ipc, unsigned len)
|
||||||
{
|
{
|
||||||
@@ -1994,19 +1996,19 @@ static bool validatepkt(u8 *ipc, unsigned len)
|
|||||||
|
|
||||||
switch (ip->ip_p) {
|
switch (ip->ip_p) {
|
||||||
case IPPROTO_TCP:
|
case IPPROTO_TCP:
|
||||||
if (iphdrlen + sizeof(struct tcp_hdr) > iplen) {
|
if (iphdrlen + sizeof(struct tcp_hdr) > len) {
|
||||||
if (o.debugging >= 3)
|
if (o.debugging >= 3)
|
||||||
error("Rejecting TCP packet because of incomplete header");
|
error("Rejecting TCP packet because of incomplete header");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!validateTCPhdr(ipc + iphdrlen, iplen - iphdrlen)) {
|
if (!validateTCPhdr(ipc + iphdrlen, len - iphdrlen)) {
|
||||||
if (o.debugging >= 3)
|
if (o.debugging >= 3)
|
||||||
error("Rejecting TCP packet because of bad TCP header");
|
error("Rejecting TCP packet because of bad TCP header");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case IPPROTO_UDP:
|
case IPPROTO_UDP:
|
||||||
if (iphdrlen + sizeof(struct udp_hdr) < iplen)
|
if (iphdrlen + sizeof(struct udp_hdr) < len)
|
||||||
break;
|
break;
|
||||||
if (o.debugging >= 3)
|
if (o.debugging >= 3)
|
||||||
error("Rejecting UDP packet because of incomplete header");
|
error("Rejecting UDP packet because of incomplete header");
|
||||||
|
|||||||
Reference in New Issue
Block a user