Re: bugfix: "uninitialized UserArray/PassArray"

[ithilgore <ithilgore.ryu.l () gmail com>]

On 06/18/2010 02:02 AM, Robin Krom wrote:
> Hi,
> I think there's a minor bug in ncrack revision 18218 that causes ncrack to throw the
> fatal error "uninitialized UserArray/PassArray" and shutdown. 

Hello Robin,
can you please specify how to reproduce this kind of fatal error? So far, I
haven't seen this in any cracking session. What were the command-line
options with which you invoked Ncrack?
Did you try to reproduce the above error after applying your patch and was
it fixed that way?

> the bug is in the lines 2061 - 2064 of ncrack.cc:
>
>   if (SG->last_accessed == SG->services_active.end()) 
>     li = SG->services_active.begin();
>   else 
>     li = SG->last_accessed++;
>
> here SG->last_accessed is checked wether it points to the end of the
> list SG->services_active. however, if it points to the element exactly
> before the end, the iterator li will be assigned with
> SG->last_accessed++, and thus li will point to the end of the list. li
> is not checked further afterwards.

This is not true.
li = SG->last_accessed++ uses a postfix increment operation which would be
equivalent to doing this:

li = SG->last_accessed;
SG->last_accessed++;

This means that when 'li' is assigned the element just *before* the end of
the list, then 'last_accessed' will point to the end of the list, and will
subsequently be checked at the beginning of the if condition, when the loop
starts again inside ncrack_probes(), thus setting 'li' to
SG->services_active.begin().


Regards,
ithilgore


-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/