first is a pointer was kept to the beginning of the packet payload, and
it was increased based on the varying size of the ICMP header. But its
type was pointer to u32 instead of pointer to u8, so the expression
datastart += 12 actually increased the pointer by 48 bytes, leaving
garbage in the first 36 bytes of the payload and making it possible for
the buffer to overflow. The second was that the remaining space left in
the buffer was not decreased when the datastart was increased, again
making it possible to overflow. I got a reliable segmentation fault with
the command
nmap -PP 1.2.3.4 --data-length 1480
nse_gettarget (lua_State *L, int index);
to replace the current_hosts static variable shared between nse_main.cc
and nse_nmaplib.cc. This improves locality and offers a clearer interface.
and freed. This is unintended and may cause a segfault. We fix this by replacing
the current_hosts table with a new empty table when scanning a new host group.
See [1] for more information.
[1] http://seclists.org/nmap-dev/2009/q3/0782.html
which resolve to the same IP to have script output placed under the correct
(virtual) host. Previously, all script output would be "randomly but
deterministically" placed under one of these hosts. Other problems include
having port information changed for only one of the virtual hosts.
inactive at the moment because its ports 9100-9107 are in the default
Exclude list. (In fact, they are the default exclude list.) Users will
have to comment out the Exclude line to test these.
remain selected after aggregating another scan or running a filter
(as long as they are still up and visible). Before the selection was
lost whenever the scan inventory was changed.
Nmap used two functions: one of them, hdump(), just printed raw hex bytes
(no ASCII equivalents) and the other one, lamont_hdump() had a bug when
printing buffers where bufflen%16==3. A new function has been implemented
from scratch, that basically produces the same output as Wireshark.
Output looks like this:
0000 e8 60 65 86 d7 86 6d 30 35 97 54 87 ff 67 05 9e .`e...m05.T..g..
0010 07 5a 98 c0 ea ad 50 d2 62 4f 7b ff e1 34 f8 fc .Z....P.bO{..4..
0020 c4 84 0a 6a 39 ad 3c 10 63 b2 22 c4 24 40 f4 b1 ...j9.<.c.".$@..
Changes:
- The new hexdump() function has been added to nbase.
- Old hdump() and lamont_dump() have been removed from nmap's code.
- A wrapper to the new hexdump(), called nmap_hexdump(), has been added
to nmap's utils.cc. The wrapper basically prints the buffer returned
by hexdump() using nmap's log_write() function.
test teh return value, not the (unchanged) value we passed in. This
would cause a segmentation fault instead of a fatal error if nmap-os-db
ended in a Fingerprint line that didn't have a terminating newline.
first iteration. This can't happen with the current data definitions,
but if it did it would result in memcpy being passed a null pointer.
(memcpy would be asked to do a zero-byte copy, so it would probably be
okay anyway, but it's better to be safe.)
