mirror of
https://github.com/nmap/nmap.git
synced 2025-12-07 13:11:28 +00:00
5d726c7733
Two issues here: First, IP protocol scan can send packets with protocol 58 (ICMPv6) even over IPv4. This led to a bad interaction where the packet was created (in build_protoscan_packet) without a data payload, but setIP tried to set the packet's Identifier field (present in both ICMPv6 and ICMP Echo Request packets), leading to a heap buffer overflow. Instead, we now only try to set this identifier when the IP version matches the ICMP version, indicating that we set the data payload. The other issue was a out-of-bounds read while packet tracing when an ICMPv6 packet without a payload was sent or received, due to trying to read the type and code. Now we check that the data length is sufficient to contain an ICMPv6 header before attempting to read one. Credit LLVM/Clang's AddressSanitizer with catching these bugs.
90 KiB
90 KiB