Nmap Development mailing list archives

Re: [NSE patch] patch for print_debug calls in scripts without proper formatstring

From: Fyodor <fyodor () insecure org>
Date: Fri, 29 Aug 2008 02:16:51 -0700

On Mon, Aug 25, 2008 at 09:58:11AM +0200, Sven Klemm wrote:


the stdnse.print_debug() function unlike the normal lua print() 
function expects a format specifier similar to string.format().
There are a few scripts which pass non-static data directly to 
print_debug leading to "format string vulnerabilities".
When lua encounters any % with unknown conversion specifier or any 
conversion specifier with unmatched argument given to the 
print_debug() call script execution will stop.

The attached patch fixes the affected scripts.


Thanks Sven!  I've applied this.

-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE patch] patch for print_debug calls in scripts without proper formatstring Sven Klemm (Aug 25)
- Re: [NSE patch] patch for print_debug calls in scripts without proper formatstring Fyodor (Aug 29)