PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-08 15:39:05 +00:00
Code Issues Projects Releases Wiki Activity

Fix buffer overflow in parse_resolvconf()

Browse Source 
String ipaddr was allocated without allowing space for the null
terminator, resulting in a 1-byte overflow. Caught with clang
-fsanitize=address

Also, fmt was being initialized with sizeof(ipaddr), which happened to
be correct, but should not necessarily be so. We don't care about the
size of the structure, but rather the length of an address in string
notation.
This commit is contained in:
dmiller
2013-11-25 18:35:49 +00:00
parent ff7a0ea10d
commit acbf533dcb
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nmap_dns.cc
View File

@@ -986,7 +986,7 @@ static void parse_resolvdotconf() {
FILE *fp;
char buf[2048], *tp;
char fmt[32];
char ipaddr[INET6_ADDRSTRLEN];
char ipaddr[INET6_ADDRSTRLEN+1];
fp = fopen("/etc/resolv.conf", "r");
if (fp == NULL) {
@@ -994,8 +994,7 @@ static void parse_resolvdotconf() {
return;
}
/* Customize a sscanf format to sizeof(ipaddr). */
Snprintf(fmt, sizeof(fmt), "nameserver %%%us", (unsigned int) sizeof(ipaddr));
Snprintf(fmt, sizeof(fmt), "nameserver %%%us", INET6_ADDRSTRLEN);
while (fgets(buf, sizeof(buf), fp)) {
tp = buf;