Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Bug when loading command line exclude list

From: Will Cladek <william.cladek () nrl navy mil>
Date: Tue, 19 May 2009 14:10:39 -0400
I found a bug in the load_exclude function in targets.cc.  Here's the affected code:

 else {
   /* If we are parsing command line, load the exclude file from the string */
   p_acBuf=strdup(szExclude);
   pc=strtok(p_acBuf, ",");
while (NULL != pc) { 
     if(excludelist[i].parse_expr(pc,o.af()) == 0) {
       if (o.debugging >1)
         error("Loaded exclude target of: %s", pc);
       ++i;
     }
/* This is a totally cheezy hack, but since I can't use strtok_r... 
      * If you can think of a better way to do this, feel free to change.
      * As for now, we will reset strtok each time we leave parse_expr */
     {
       int hack_i;
char *hack_c = strdup(szExclude); 
       pc=strtok(hack_c, ",");

       for (hack_i = 0; hack_i < i; hack_i++)
         pc=strtok(NULL, ",");
free(hack_c); 
     }
   }
 }

The problem is in the "cheezy hack", hack_c is duplicated from the string of excluded hosts and pc is made to point to 
the next host in that string.  But then hack_c is freed before pc, which points to that freed bit of memory, is used on the next 
iteration of the while loop, occasionally causing fatal errors.

I've attached my patch which works for nmap-4.85BETA9.

-Will

--- targets.cc.orig     2009-05-19 13:50:03.000000000 -0400
+++ targets.cc  2009-05-19 13:51:59.000000000 -0400
@@ -339,17 +339,17 @@
        * If you can think of a better way to do this, feel free to change.
        * As for now, we will reset strtok each time we leave parse_expr */
       {
-       int hack_i;
-       char *hack_c = strdup(szExclude);
+        free(p_acBuf);
+        int hack_i;
 
-       pc=strtok(hack_c, ",");
+        p_acBuf=strdup(szExclude);
+        pc=strtok(p_acBuf, ",");
 
-        for (hack_i = 0; hack_i < i; hack_i++) 
+        for (hack_i = 0; hack_i < i; hack_i++)
           pc=strtok(NULL, ",");
-
-       free(hack_c);
       }
     } 
+    free(p_acBuf);
   }
   return excludelist;
 }


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: