Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Double free crash when using --iflist

From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 28 Dec 2006 23:39:03 -0600
# nmap --iflist

Starting Nmap 4.21ALPHA1 ( http://insecure.org ) at 2006-12-28 23:22 CST
************************INTERFACES************************
DEV  (SHORT) IP/MASK TYPE     UP MAC
lo   (lo)    127.0.0.1/8loopback up
eth0 (eth0)  10.10.102.186/24ethernet up 00:0C:76:7D:90:33

*** glibc detected *** double free or corrupted (!prev): 0x08108968 ***
Aborted

---

Above is the output before the patch and further below is the output
after the patch.


I'm not at all familiar with the inner workings of NmapOutputTable, but
I have found that this thing appears to have something to do with the
'fullrow' stuff that was added between 4.20 and 4.21ALPHA1. I attached a
patch that basically removes the 'fullrow' stuff from the
addItem[Formatted]() functions and it doesn't crash anymore. Obviously
this is just a hack to show, perhaps just part of, the problem and not
something to be applied in it's current form.

Thanks,
Kris Katterjohn

---

# nmap --iflist

Starting Nmap 4.21ALPHA1 ( http://insecure.org ) at 2006-12-28 23:23 CST
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
lo   (lo)    127.0.0.1/8      loopback up
eth0 (eth0)  10.10.102.186/24 ethernet up 00:0C:76:7D:90:33

**************************ROUTES**************************
DST/MASK    DEV  GATEWAY
10.10.102.0 eth0
127.0.0.0   lo
0.0.0.0     eth0 10.10.102.1


--- x/NmapOutputTable.cc        2006-12-10 18:34:35.000000000 -0600
+++ y/NmapOutputTable.cc        2006-12-28 23:19:37.000000000 -0600
@@ -142,16 +142,7 @@ NmapOutputTable::~NmapOutputTable() {
 
 void NmapOutputTable::addItem(unsigned int row, unsigned int column, bool fullrow,
                                bool copy, const char *item, int itemlen) {
-  struct NmapOutputTableCell *cell;
-  int mc = maxColLen[column];
-  
   addItem(row, column, copy, item, itemlen);
-
-  maxColLen[column] = mc;
-  cell = getCellAddy(row, column);
-  cell->fullrow = fullrow;
-
-  return;
 }
 
 void NmapOutputTable::addItem(unsigned int row, unsigned int column, bool copy, const char *item, 
@@ -192,8 +183,6 @@ void NmapOutputTable::addItemFormatted(u
                                          unsigned int column,
                                          bool fullrow,
                                          const char *fmt, ...) {
-  struct NmapOutputTableCell *cell;
-  int mc = maxColLen[column];
   unsigned int res;
   va_list ap; 
   va_start(ap,fmt);
@@ -205,10 +194,6 @@ void NmapOutputTable::addItemFormatted(u
     fatal("NmapOutputTable only supports adding up to 4096 to a cell via addItemFormatString.");
 
   addItem(row, column, fullrow, true, buf, res);
-
-  maxColLen[column] = mc;
-  cell = getCellAddy(row, column);
-  cell->fullrow = fullrow;
 }
 
 // Returns the maximum size neccessary to create a printableTable() (the 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: