mirror of
https://github.com/nmap/nmap.git
synced 2025-12-15 12:19:02 +00:00
02c9cf42f7
first is a pointer was kept to the beginning of the packet payload, and it was increased based on the varying size of the ICMP header. But its type was pointer to u32 instead of pointer to u8, so the expression datastart += 12 actually increased the pointer by 48 bytes, leaving garbage in the first 36 bytes of the payload and making it possible for the buffer to overflow. The second was that the remaining space left in the buffer was not decreased when the datastart was increased, again making it possible to overflow. I got a reliable segmentation fault with the command nmap -PP 1.2.3.4 --data-length 1480
117 KiB
117 KiB