PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Change the way ScriptResult::get_id and ScriptResult::get_output work to avoid

Browse Source 
referencing deallocated memory.

The class was defined basically as follows:

class ScriptResult
{
private:
	std::string output;
public:
	std::string get_output() const
	{
		return this->output;
	}
};

The problem was when it was used like this, as in our script output
routines:

const char *s = sr.get_output().c_str();
printf("%s\n", s);

The reason is that the temporary std::string returned by get_output goes
out of scope after the line containing it, which invalidates the memory
pointed to by c_str(). By the time of the printf, s may be pointing to
deallocated memory.

This could have been fixed by returning a const reference that would
remain valid as long as the ScriptResult's output member is valid:

	const std::string& get_output() const
	{
		return this->output;
	}

However I noticed that get_output() was always immediately followed by a
c_str(), so I just had get_output return that instead, which has the
same period of validity.

This problem became visiable when compiling with Visual C++ 2010. The
first four bytes of script output in normal output would be garbage
(probably some kind of free list pointer). It didn't happen in XML
output, because the get_output-returned string happened to remain in
scope during that.
This commit is contained in:
david
2010-11-09 19:47:18 +00:00
parent 6f370e012d
commit 69e1295384
3 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nse_main.cc
View File

@@ -229,9 +229,9 @@ void ScriptResult::set_output (const char *out)
output = std::string(out); output = std::string(out);
} }
std::string ScriptResult::get_output (void) const const char *ScriptResult::get_output (void) const
{ {
return output; return output.c_str();
} }
void ScriptResult::set_id (const char *ident) void ScriptResult::set_id (const char *ident)
@@ -239,9 +239,9 @@ void ScriptResult::set_id (const char *ident)
id = std::string(ident); id = std::string(ident);
} }
std::string ScriptResult::get_id (void) const const char *ScriptResult::get_id (void) const
{ {
return id; return id.c_str();
} }
ScriptResults *get_script_scan_results_obj (void) ScriptResults *get_script_scan_results_obj (void)

4
nse_main.h
View File

@@ -23,9 +23,9 @@ class ScriptResult
std::string id; std::string id;
public: public:
void set_output (const char *); void set_output (const char *);
std::string get_output (void) const; const char *get_output (void) const;
void set_id (const char *); void set_id (const char *);
std::string get_id (void) const; const char *get_id (void) const;
}; };
typedef std::list<ScriptResult> ScriptResults; typedef std::list<ScriptResult> ScriptResults;

16
output.cc
View File

@@ -425,7 +425,7 @@ static char *formatScriptOutput(ScriptResult sr) {
std::string result; std::string result;
unsigned int i; unsigned int i;
c_output = sr.get_output().c_str(); c_output = sr.get_output();
p = c_output; p = c_output;
while (*p != '\0') { while (*p != '\0') {
@@ -447,7 +447,7 @@ static char *formatScriptOutput(ScriptResult sr) {
else else
result += "|_"; result += "|_";
if (i == 0) if (i == 0)
result += sr.get_id() + ": "; result += std::string(sr.get_id()) + ": ";
result += lines[i]; result += lines[i];
if (i < lines.size() - 1) if (i < lines.size() - 1)
result += "\n"; result += "\n";
@@ -787,8 +787,8 @@ void printportoutput(Target *currenths, PortList *plist) {
for (ssr_iter = current->scriptResults.begin(); for (ssr_iter = current->scriptResults.begin();
ssr_iter != current->scriptResults.end(); ssr_iter++) { ssr_iter != current->scriptResults.end(); ssr_iter++) {
xml_open_start_tag("script"); xml_open_start_tag("script");
xml_attribute("id", "%s", ssr_iter->get_id().c_str()); xml_attribute("id", "%s", ssr_iter->get_id());
xml_attribute("output", "%s", ssr_iter->get_output().c_str()); xml_attribute("output", "%s", ssr_iter->get_output());
xml_close_empty_tag(); xml_close_empty_tag();
char *script_output = formatScriptOutput((*ssr_iter)); char *script_output = formatScriptOutput((*ssr_iter));
@@ -1943,8 +1943,8 @@ void printscriptresults(ScriptResults *scriptResults, stype scantype) {
iter != scriptResults->end(); iter != scriptResults->end();
iter++) { iter++) {
xml_open_start_tag("script"); xml_open_start_tag("script");
xml_attribute("id", "%s", iter->get_id().c_str()); xml_attribute("id", "%s", iter->get_id());
xml_attribute("output", "%s", iter->get_output().c_str()); xml_attribute("output", "%s", iter->get_output());
xml_close_empty_tag(); xml_close_empty_tag();
script_output = formatScriptOutput((*iter)); script_output = formatScriptOutput((*iter));
log_write(LOG_PLAIN, "%s\n", script_output); log_write(LOG_PLAIN, "%s\n", script_output);
@@ -1965,8 +1965,8 @@ void printhostscriptresults(Target *currenths) {
iter != currenths->scriptResults.end(); iter != currenths->scriptResults.end();
iter++) { iter++) {
xml_open_start_tag("script"); xml_open_start_tag("script");
xml_attribute("id", "%s", iter->get_id().c_str()); xml_attribute("id", "%s", iter->get_id());
xml_attribute("output", "%s", iter->get_output().c_str()); xml_attribute("output", "%s", iter->get_output());
xml_close_empty_tag(); xml_close_empty_tag();
script_output = formatScriptOutput((*iter)); script_output = formatScriptOutput((*iter));
log_write(LOG_PLAIN, "%s\n", script_output); log_write(LOG_PLAIN, "%s\n", script_output);