Nmap Development mailing list archives
Nmap 3.70 crashing
From: "Ganga Bhavani" <GBhavani () everdreamcorp com>
Date: Tue, 14 Sep 2004 20:51:20 -0700
Hi, I found that Nmap 3.70 is crashing on windows xp with sp1 service pack while scanning more than 25 hosts. I was able to trace this problem to the access violation in set_pcap_filter(). In begin_sniffer()(in scan_engine.cc), the pcap_filter is declared to be an array of size 3072. This array is filled with per host filter information and passed into set_pcap_filter().For 20 hosts scanned, the size of the string pcap_filter exceeds 512. In set_pcap_filter() (in mswin32/winip/winip.c) as the size of the buf is declared to be 512, vsprintf() is causing the access violation. The following snippets illustrate the problem. static void begin_sniffer(UltraScanInfo *USI, vector<Target *> &Targets) { char pcap_filter[3072]; <<==== declared as size 3072=======>> <snip> set_pcap_filter(Targets[0], USI->pd, flt_all, pcap_filter); /* pcap_setnonblock(USI->pd, 1, NULL); */ return; } In set_pcap_filter the following code is causing access violation: void set_pcap_filter(Target *target, pcap_t *pd, PFILTERFN filter, char *bpf, ...) { va_list ap; char buf[512]; <<=== smaller buffer====>> <snip> va_start(ap, bpf); vsprintf(buf, bpf, ap); <<=== possible access violation ===>> va_end(ap); ...... } Please find the winip.c.patch attached with this email. The diff looks as follows: --- winip.c.org 2004-09-14 19:13:24.786581000 -0700 +++ winip.c 2004-09-14 19:24:04.905934500 -0700 @@ -860,7 +860,7 @@ pcap_t *pd, PFILTERFN filter, char *bpf, ...) { va_list ap; - char buf[512]; + char buf[3072]; // same size as bpf ie size of filter in scan_engine.cc struct bpf_program fcode; unsigned int localnet, netmask; char err0r[256]; @@ -875,7 +875,10 @@ ; /* fatal("Failed to lookup device subnet/netmask: %s", err0r);*/ va_start(ap, bpf); - vsprintf(buf, bpf, ap); + if (vsnprintf(buf, sizeof(buf), bpf, ap) < 0) + { + fatal("Failed to copy the filter string %s",bpf); + } va_end(ap); if (o.debugging) Thanks, Ganga
Attachment:
winip.c.patch
Description: winip.c.patch
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Nmap 3.70 crashing Ganga Bhavani (Sep 14)
- Re: Nmap 3.70 crashing Fyodor (Sep 15)