Fix crash: manage lifetime of now-dynamic test results

FingerPrintResults.cc

@@ -94,6 +94,7 @@ FingerPrintResultsIPv4::~FingerPrintResultsIPv4() {
 
   /* Free OS fingerprints of OS scanning was done */
   for(i=0; i < numFPs; i++) {
+    FPs[i]->erase();
     delete(FPs[i]);
     FPs[i] = NULL;
   }

osscan.cc

@@ -84,13 +84,26 @@ FingerPrintDB::FingerPrintDB() : MatchPoints(NULL) {
 FingerPrintDB::~FingerPrintDB() {
   std::vector<FingerPrint *>::iterator current;
 
-  if (MatchPoints != NULL)
+  if (MatchPoints != NULL) {
+    MatchPoints->erase();
     delete MatchPoints;
-  for (current = prints.begin(); current != prints.end(); current++)
+  }
+  for (current = prints.begin(); current != prints.end(); current++) {
+    (*current)->erase();
     delete *current;
+  }
 }
 
-FingerPrint::FingerPrint() {
+FingerTest::FingerTest(bool allocResults) : name(NULL), results(NULL) {
+  if (allocResults)
+    this->results = new std::vector<struct AVal>;
+}
+
+void FingerTest::erase() {
+  if (this->results) {
+    delete this->results;
+    this->results = NULL;
+  }
 }
 
 void FingerPrint::sort() {
@@ -101,6 +114,13 @@ void FingerPrint::sort() {
   std::stable_sort(tests.begin(), tests.end());
 }
 
+void FingerPrint::erase() {
+  for (std::vector<FingerTest>::iterator t = this->tests.begin();
+      t != this->tests.end(); t++) {
+    t->erase();
+  }
+}
+
 /* Compare an observed value (e.g. "45") against an OS DB expression (e.g.
    "3B-47" or "8|A" or ">10"). Return true iff there's a match. The syntax uses
      < (less than)

osscan.h

@@ -93,6 +93,7 @@ enum dist_calc_method {
 struct AVal {
   const char *attribute;
   const char *value;
+  AVal() : attribute(NULL), value(NULL) {}
 
   bool operator<(const AVal& other) const {
     return strcmp(attribute, other.attribute) < 0;
@@ -126,28 +127,22 @@ struct FingerMatch {
 struct FingerTest {
   const char *name;
   std::vector<struct AVal> *results;
-  FingerTest() : name(NULL), results(NULL) {}
+  FingerTest(bool allocResults=false);
   ~FingerTest() {
     // name is allocated from string_pool
-    // results freed via ~FingerPrint()
+    // results must be freed manually
     }
   bool operator<(const FingerTest& other) const {
     return strcmp(name, other.name) < 0;
   }
+  void erase();
 };
 
 struct FingerPrint {
   FingerMatch match;
   std::vector<FingerTest> tests;
-  FingerPrint();
-  ~FingerPrint() {
-    for (std::vector<FingerTest>::iterator t = this->tests.begin();
-        t != this->tests.end(); t++) {
-      if (t->results)
-        delete t->results;
-    }
-  }
   void sort();
+  void erase();
 };
 /* This structure contains the important data from the fingerprint
    database (nmap-os-db) */

osscan2.cc

@@ -1029,8 +1029,10 @@ HostOsScanStats::~HostOsScanStats() {
   int i;
 
   for (i = 0; i < NUM_FPTESTS; i++) {
-    if (FPtests[i] != NULL)
+    if (FPtests[i] != NULL) {
       delete FPtests[i];
+      FPtests[i] = NULL;
+    }
   }
   for (i = 0; i < 6; i++) {
     if (TOps_AVs[i])
@@ -1148,9 +1150,10 @@ void HostOsScanStats::initScanStats() {
 
   FP = NULL;
   for (i = 0; i < NUM_FPTESTS; i++) {
-    if (FPtests[i] != NULL)
+    if (FPtests[i] != NULL) {
       delete FPtests[i];
-    FPtests[i] = NULL;
+      FPtests[i] = NULL;
+    }
   }
   for (i = 0; i < 6; i++) {
     if (TOps_AVs[i])
@@ -2048,7 +2051,7 @@ void HostOsScan::makeFP(HostOsScanStats *hss) {
       /* We create a Resp (response) attribute with value of N (no) because
          it is important here to note whether responses were or were not
          received */
-      hss->FPtests[i] = new FingerTest;
+      hss->FPtests[i] = new FingerTest(true);
       AV.attribute = "R";
       AV.value = "N";
       hss->FPtests[i]->results->push_back(AV);