Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap 3.70 crashing

From: "Ganga Bhavani" <GBhavani () everdreamcorp com>
Date: Tue, 14 Sep 2004 20:51:20 -0700

Hi,

   I found that Nmap 3.70 is crashing on windows xp with sp1 service pack while scanning more than 25 hosts.  

I was able to trace this problem to the access violation in set_pcap_filter().
In begin_sniffer()(in scan_engine.cc), the pcap_filter is declared to be an array of size 3072. This array is filled 
with per host filter information and passed into set_pcap_filter().For 20 hosts scanned,  the size of the string 
pcap_filter exceeds 512.   
In set_pcap_filter() (in mswin32/winip/winip.c) as the size of the buf is declared to be 512, vsprintf() is causing the 
access violation. The following snippets illustrate the problem.

 static void begin_sniffer(UltraScanInfo *USI, vector<Target *> &Targets) {
  char pcap_filter[3072];  <<==== declared as size 3072=======>>
  <snip>
  set_pcap_filter(Targets[0], USI->pd, flt_all, pcap_filter);
  /* pcap_setnonblock(USI->pd, 1, NULL); */

  return;
}

In set_pcap_filter the following code is causing access violation:
void set_pcap_filter(Target *target,
       pcap_t *pd, PFILTERFN filter, char *bpf, ...)
{
  va_list ap;
  char buf[512];  <<=== smaller buffer====>>

 <snip>
  va_start(ap, bpf);
  vsprintf(buf, bpf, ap); <<=== possible access violation ===>>
  va_end(ap);
   ......
}

Please find the winip.c.patch attached with this email. The diff looks as follows:

--- winip.c.org 2004-09-14 19:13:24.786581000 -0700
+++ winip.c     2004-09-14 19:24:04.905934500 -0700
@@ -860,7 +860,7 @@
        pcap_t *pd, PFILTERFN filter, char *bpf, ...)
 {
   va_list ap;
-  char buf[512];
+  char buf[3072]; // same size as bpf ie size of filter in scan_engine.cc
   struct bpf_program fcode;
   unsigned int localnet, netmask;
   char err0r[256];
@@ -875,7 +875,10 @@
     ; /* fatal("Failed to lookup device subnet/netmask: %s", err0r);*/

   va_start(ap, bpf);
-  vsprintf(buf, bpf, ap);
+  if (vsnprintf(buf, sizeof(buf), bpf, ap) < 0)
+    {
+      fatal("Failed to copy the filter string %s",bpf);
+    }
   va_end(ap);

   if (o.debugging)

Thanks,
Ganga

Attachment: winip.c.patch
Description: winip.c.patch

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: