Nmap Development mailing list archives
Re: [PATCH] NSE - escaping attribute content
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 1 May 2007 19:46:05 +0000
On Tue, 1 May 2007 21:23:54 +0200 plus or minus some time Stoiko Ivanov <stoiko () xover htu tuwien ac at> wrote:
Hi, My name is Stoiko Ivanov - I'm one of the lucky people who got accepted in this years Google Summer of Code (and I'm looking forward to work on Nmap). I'll be enhancing the NSE during this summer and (hopefully) will add some new features to make script-writing easier and even more powerfull.
Welcome. It's great having you guys.
...snip...
I hope my patch fixes the problem (at least it does in the case described in the bug-report)
It does however it also introduces a memory leak. xml_convert() mallocs memory that needs to be freed.
I would be grateful for any comment on the patch, since it's my first one (especially if I've forgotten something, or made anything wrong).
I'm by no means a big contributer to Nmap but here is the line of questioning I go though on my small patches. I think the more talented C/C++ developers on this list are able to make all these decisions in one pass through the code; I cannot: * Were there any theoretical or real memory leaks or security vulnerabilities in the code before I changed anything? * Does the addition or changes to the code cause any vulnerability or memory leak? * Are there any potential interactions or loose ends in the new or modified code that could interfere with any other part of the program? Functions with side effects like xml_convert() could probably use a short comment above them reminding would-be hackers to watch out.
cheers stoiko
Respectfully, Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap 4.21 alpha4 escaping attribute content Tim Rupp (Apr 23)
- [PATCH] NSE - escaping attribute content Stoiko Ivanov (May 01)
- Re: [PATCH] NSE - escaping attribute content Tim Rupp (May 01)
- Re: [PATCH] NSE - escaping attribute content Brandon Enright (May 01)
- Re: [PATCH] NSE - escaping attribute content - corrected Stoiko Ivanov (May 05)
- Re: [PATCH] NSE - escaping attribute content - corrected Diman Todorov (May 05)
- [PATCH] NSE - escaping attribute content Stoiko Ivanov (May 01)