Re: Unbounded memory use in drda-info

[Patrik Karlsson <patrik () cqure net>]

On May 9, 2011, at 5:05 AM, Sebastian Dragomir wrote:

> I found that the problem originates in drda.lua, lines 271-275.
> Script gets stuck in this loop forever because "data" is less than 4
> characters so "pos" will always be -1 due to line 323.
> This is because recv does not read all the needed bytes on line 255 due to
> the EOF.
>
> receive_bytes does not seem to guarantee it will return a minimum n bytes
> even though the wording in its documentation might suggest so.
> It sets NSE_STATUS_SUCCESS even when not all bytes have been received in
> nsock/src/nsock_core.c line 736, which may or may not be intended for
> receive_bytes.
>
> Here is a patch for drda.lua.

I tested the patch and it worked great. Thanks!
I copy-pasted it into the remaining 6 libraries as the code should be the same.
It's all commited as r23130.

> Thanks,
> Sebastian


//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/