Re: [NSE] Segfault in pcap_gc

[Djalal Harouni <tixxdz () opendz org>]

Hi Henri,

On Wed, Jan 04, 2012 at 06:34:27PM +0100, Henri Doreau wrote:
> Hello,
>
> I've noticed a crash in NSE (on linux, 64bits). A bug leads to a
> segfault at the end of the execution, after a failed pcap_open() call.

The bug is that mp->pcap_device must be set to 'pcap_device' using
strdup() but it seems that we can miss this one, and later the close call
or the garbage will try to free an invalid pointer.

The path of the bug:
nsock_pcap_open() -> nsock_pcap_set_filter() -> pcap_compile() (fail here).

> I can reproduce reliably with (as root):
> # ./nmap --script pcap_crash -p12345 127.0.0.1
It seems that pcap_compile() will fail with the specified filter
"ip and ip6":
...: "Error compiling our pcap filter: expression rejects all packets"

And at that time nsock_pcap_open() will return with mp->pcap_device
pointing to some random unintialized memory.

> The reproducer is attached, as well as the call stack. I've tracked it
> a bit and figured out that in nsock_iod.c:254, mp->pcap_device is set
> to 0x4 but lack time for further investigations today.
>
> If I set more ports or change the debug level, it happens that the bug
> isn't triggered.
With the -d2 I can trigger the bug! I don't know ?

> HTH
> Let me know if I can provide more information.
Can you please test this quick patch, I've found that there is a
safe_zalloc() function available which uses calloc() to clear memory.

This is related to Patrik's r25731 commit [1], this patch should also fix
that problem.


[1] http://seclists.org/nmap-dev/2011/q3/536

> Regards.
>
> -- 
> Henri
Thanks.

-- 
tixxdz
http://opendz.org

Attachment: nsock_pcap_fix.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/