Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] Experimental SCTP scan support

From: doug () hcsw org
Date: Sat, 3 Jan 2009 10:39:49 +0000
On Sat, Jan 03, 2009 at 03:48:09AM -0600 or thereabouts, Kris Katterjohn wrote:
...

*** buffer overflow detected ***: ./nmap terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c44558]
/lib/tls/i686/cmov/libc.so.6[0xb7c42680]
/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0xb7c41944]
./nmap(_Z15printportoutputP6TargetP8PortList+0x639)[0x8083569]
./nmap(_Z9nmap_mainiPPc+0x2099)[0x8061ea9]
./nmap(main+0x1e4)[0x805cdc4]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7b60685]
./nmap[0x805cb11]


For anyone not familiar with this error message, it is from a fairly
recent addition to gcc called _FORTIFY_SOURCE. Kris observed this
error because Ubuntu enables _FORTIFY_SOURCE=2 by default on all
gcc compiles, unlike many other linux distros.

_FORITFY_SOURCE does several things and you can read about it here:

http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

In this case, gcc has placed run-time checks on strcpy() invocations,
one of which I think is triggered by the following part of the patch:

-       strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp");
+       strcpy(protocol, IPPROTO2STR(current->proto));

This is in the function printportoutput() in output.cc. Looks
to me like the problem is that protocol[] is defined as such:

  char protocol[4];

so "sctp\0" is one too many to fit into this buffer.

Hope this helps,

Doug

Attachment: _bin
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: