PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-27 09:59:04 +00:00
Code Issues Projects Releases Wiki Activity

Change the way ScriptResult::get_id and ScriptResult::get_output work to avoid

Browse Source 
referencing deallocated memory.

The class was defined basically as follows:

class ScriptResult
{
private:
	std::string output;
public:
	std::string get_output() const
	{
		return this->output;
	}
};

The problem was when it was used like this, as in our script output
routines:

const char *s = sr.get_output().c_str();
printf("%s\n", s);

The reason is that the temporary std::string returned by get_output goes
out of scope after the line containing it, which invalidates the memory
pointed to by c_str(). By the time of the printf, s may be pointing to
deallocated memory.

This could have been fixed by returning a const reference that would
remain valid as long as the ScriptResult's output member is valid:

	const std::string& get_output() const
	{
		return this->output;
	}

However I noticed that get_output() was always immediately followed by a
c_str(), so I just had get_output return that instead, which has the
same period of validity.

This problem became visiable when compiling with Visual C++ 2010. The
first four bytes of script output in normal output would be garbage
(probably some kind of free list pointer). It didn't happen in XML
output, because the get_output-returned string happened to remain in
scope during that.
This commit is contained in:
david
2010-11-09 19:47:18 +00:00
parent 6f370e012d
commit 69e1295384
3 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
output.cc
View File

@@ -425,7 +425,7 @@ static char *formatScriptOutput(ScriptResult sr) {
std::string result;
unsigned int i;
c_output = sr.get_output().c_str();
c_output = sr.get_output();
p = c_output;
while (*p != '\0') {
@@ -447,7 +447,7 @@ static char *formatScriptOutput(ScriptResult sr) {
else
result += "|_";
if (i == 0)
result += sr.get_id() + ": ";
result += std::string(sr.get_id()) + ": ";
result += lines[i];
if (i < lines.size() - 1)
result += "\n";
@@ -787,8 +787,8 @@ void printportoutput(Target *currenths, PortList *plist) {
for (ssr_iter = current->scriptResults.begin();
ssr_iter != current->scriptResults.end(); ssr_iter++) {
xml_open_start_tag("script");
xml_attribute("id", "%s", ssr_iter->get_id().c_str());
xml_attribute("output", "%s", ssr_iter->get_output().c_str());
xml_attribute("id", "%s", ssr_iter->get_id());
xml_attribute("output", "%s", ssr_iter->get_output());
xml_close_empty_tag();
char *script_output = formatScriptOutput((*ssr_iter));
@@ -1943,8 +1943,8 @@ void printscriptresults(ScriptResults *scriptResults, stype scantype) {
iter != scriptResults->end();
iter++) {
xml_open_start_tag("script");
xml_attribute("id", "%s", iter->get_id().c_str());
xml_attribute("output", "%s", iter->get_output().c_str());
xml_attribute("id", "%s", iter->get_id());
xml_attribute("output", "%s", iter->get_output());
xml_close_empty_tag();
script_output = formatScriptOutput((*iter));
log_write(LOG_PLAIN, "%s\n", script_output);
@@ -1965,8 +1965,8 @@ void printhostscriptresults(Target *currenths) {
iter != currenths->scriptResults.end();
iter++) {
xml_open_start_tag("script");
xml_attribute("id", "%s", iter->get_id().c_str());
xml_attribute("output", "%s", iter->get_output().c_str());
xml_attribute("id", "%s", iter->get_id());
xml_attribute("output", "%s", iter->get_output());
xml_close_empty_tag();
script_output = formatScriptOutput((*iter));
log_write(LOG_PLAIN, "%s\n", script_output);