PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-04 05:39:01 +00:00
Code Issues Projects Releases Wiki Activity

Fix a stack overrun in ncat's -g option

Browse Source 
Because of the postincrement and <= operators, the parsing could write
as many as 10 struct in_addr into an array allocated for only 8.
Execution would stop because of a later check. Instead, we use
preincrement and < operator to do bounds checking, and check for the
"too many specified" condition with another call to strtok (which should
return NULL if there were no more hops to parse)
This commit is contained in:
dmiller
2014-11-11 22:15:50 +00:00
parent 877eee826c
commit e4417d132e
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ncat/ncat_main.c
View File

@@ -382,8 +382,8 @@ int main(int argc, char *argv[])
a, gai_strerror(rc));
}
o.srcrtes[o.numsrcrtes] = addr.in.sin_addr;
} while (o.numsrcrtes++ <= 8 && (a = strtok(NULL, ",")));
if (o.numsrcrtes > 8)
} while (++o.numsrcrtes < 8 && (a = strtok(NULL, ",")));
if (strtok(NULL, ","))
bye("Sorry, you gave too many source route hops.");
break;
}