From acbf533dcb761e88da5dd8f288d1c0392ca0a7e1 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 25 Nov 2013 18:35:49 +0000
Subject: [PATCH] Fix buffer overflow in parse_resolvconf()

String ipaddr was allocated without allowing space for the null
terminator, resulting in a 1-byte overflow. Caught with clang
-fsanitize=address

Also, fmt was being initialized with sizeof(ipaddr), which happened to
be correct, but should not necessarily be so. We don't care about the
size of the structure, but rather the length of an address in string
notation.
---
 nmap_dns.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/nmap_dns.cc b/nmap_dns.cc
index 0c8997bf7..e1b17fbe2 100644
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -986,7 +986,7 @@ static void parse_resolvdotconf() {
   FILE *fp;
   char buf[2048], *tp;
   char fmt[32];
-  char ipaddr[INET6_ADDRSTRLEN];
+  char ipaddr[INET6_ADDRSTRLEN+1];
 
   fp = fopen("/etc/resolv.conf", "r");
   if (fp == NULL) {
@@ -994,8 +994,7 @@ static void parse_resolvdotconf() {
     return;
   }
 
-  /* Customize a sscanf format to sizeof(ipaddr). */
-  Snprintf(fmt, sizeof(fmt), "nameserver %%%us", (unsigned int) sizeof(ipaddr));
+  Snprintf(fmt, sizeof(fmt), "nameserver %%%us", INET6_ADDRSTRLEN);
 
   while (fgets(buf, sizeof(buf), fp)) {
     tp = buf;