Nmap Development mailing list archives
Parfait analysis of nmap 6.25
From: Rich Burridge <rich.burridge () oracle com>
Date: Mon, 10 Dec 2012 08:10:15 -0800
Hi, I'm in the process of updating the version of nmap that's in the Oracle Solaris O/S to 6.25. Part of this update requires a security audit, including running the Parfait static code analysis tool on the nmap code. For more information on parfait, see the paper: http://labs.oracle.com/projects/downunder/publications/pepm09.pdf Anyhoo, parfait found the following errors: Error: Null pointer dereference (CWE 476) Read from null pointer 'fdn' at line 328 of components/nmap/build/amd64/ncat/ncat_core.c in function 'blocking_fdinfo_send'. Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 366 in function 'ncat_broadcast'. Constant 'NULL' passed into function 'blocking_fdinfo_send', argument 'fdn', from call at line 367. Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'. at line 330 of components/nmap/build/amd64/ncat/ncat_core.c in function 'blocking_fdinfo_send'. Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 366 in function 'ncat_broadcast'. Constant 'NULL' passed into function 'blocking_fdinfo_send', argument 'fdn', from call at line 367. Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'. -------- Error: Null pointer dereference (CWE 476) Read from null pointer 'fdn' at line 946 of components/nmap/build/amd64/ncat/ncat_listen.c in function 'shutdown_sockets'. Function 'get_fdinfo' may return constant 'NULL' at line 615, called at line 945. Null pointer introduced at line 615 of components/nmap/build/amd64/ncat/util.c in function 'get_fdinfo'. -------- Error: File Leak File Descriptor Leak: Leaked File Descriptor s at line 522 of components/nmap/build/amd64/ncat/ncat_proxy.c in function 'handle_connect'. s initialized at line 450 with Socket s leaks when socket_errno() != 0 at line 478. -------- Error: Null pointer dereference (CWE 476) Read from null pointer '((int*)&Target::v4hostip(tpreq->targ)->S_un)'at line 544 of components/nmap/build/amd64/nmap_dns.cc in function 'process_result(unsigned int, char*, int, unsigned short)'.
Function 'Target::v4hostip() const' may return constant 'NULL' at line 285, called at line 544.
Null pointer introduced at line 285 of components/nmap/build/amd64/Target.cc in function 'Target::v4hostip()
const'.
--------
Error: Null pointer dereference (CWE 476)
Read from null pointer '((int*)&Target::v4hostip((*hostI))->S_un)'
at line 1189 of components/nmap/build/amd64/nmap_dns.cc in function 'nmap_mass_rdns_core(Target**, int)'.
Function 'Target::v4hostip() const' may return constant 'NULL' at line 285, called at line 1189.
Null pointer introduced at line 285 of components/nmap/build/amd64/Target.cc in function 'Target::v4hostip()
const'.
--------
Error: Buffer overrun
Read outside array bounds (CWE 125): In pointer dereference of ipids[(i - 1)] with index '(i - 1)'
Pointer size is 6 elements (of 4 bytes each), index is 29
at line 232 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 235 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 236 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 238 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
--------
Error: Buffer overrun
Read outside array bounds (CWE 125): In pointer dereference of ipids[i] with index 'i'
Pointer size is 6 elements (of 4 bytes each), index is 30
at line 232 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 235 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 236 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
at line 238 of components/nmap/build/amd64/osscan2.cc in function 'get_ipid_sequence(int, int*, int)'.
called at line 504 of components/nmap/build/amd64/idle_scan.cc in function
'initialize_idleproxy(idle_proxy_info*, char*, in_addr const*, scan_lists const*)' with ipids = ipids.
--------
Error: Null pointer dereference (CWE 476)
Read from null pointer 'hsi'
at line 459 of components/nmap/build/amd64/osscan2.cc in function 'doSeqTests(OsScanInfo*, HostOsScan*)'.
Function 'OsScanInfo::nextIncompleteHost()' may return constant 'NULL' at line 3398, called at line 458.
Null pointer introduced at line 3398 in function 'OsScanInfo::nextIncompleteHost()'.
--------
Error: Null pointer dereference (CWE 476)
Read from null pointer 'hsi'
at line 629 of components/nmap/build/amd64/osscan2.cc in function 'doTUITests(OsScanInfo*, HostOsScan*)'.
Function 'OsScanInfo::nextIncompleteHost()' may return constant 'NULL' at line 3398, called at line 628.
Null pointer introduced at line 3398 in function 'OsScanInfo::nextIncompleteHost()'.
--------
Error: Null pointer dereference (CWE 476)
Read from null pointer '((int*)&Target::v4hostip(hss->target)->S_un)'
at line 2112 of components/nmap/build/amd64/osscan2.cc in function
'HostOsScan::send_closedudp_probe(HostOsScanStats*, int, unsigned short, unsigned short)'.
Function 'Target::v4hostip() const' may return constant 'NULL' at line 285, called at line 2112.
Null pointer introduced at line 285 of components/nmap/build/amd64/Target.cc in function 'Target::v4hostip()
const'.
-------- Error: Null pointer dereference (CWE 476)Read from null pointer '((int*)&Target::v4hostip((*std::_List_iterator<HostOsScanInfo*>::operator*(&hostI))->target)->S_un)' at line 3383 of components/nmap/build/amd64/osscan2.cc in function 'OsScanInfo::findIncompleteHost(sockaddr_storage*)'.
Function 'Target::v4hostip() const' may return constant 'NULL' at line 285, called at line 3383.
Null pointer introduced at line 285 of components/nmap/build/amd64/Target.cc in function 'Target::v4hostip()
const'.
-------- Error: Null pointer dereference (CWE 476) Read from null pointer 'port'at line 344 of components/nmap/build/amd64/portlist.cc in function 'PortList::setServiceProbeResults(unsigned short, int, serviceprobestate, char const*, service_tunnel_type, char const*, char const*, char const*, char const*, char const*, char const*, std::vector<char const*, std::allocator<char const*> > const*, char const*)'. Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called at line 343.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
--------
Error: Null pointer dereference (CWE 476)
Write to null pointer 'current'
at line 520 of components/nmap/build/amd64/portlist.cc in function 'PortList::setPortState(unsigned short,
unsigned char, int)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called
at line 518.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
--------
Error: Null pointer dereference (CWE 476)
Write to null pointer 'answer'
at line 880 of components/nmap/build/amd64/portlist.cc in function 'PortList::setStateReason(unsigned short,
unsigned char, unsigned short, unsigned char, sockaddr_storage const*)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called
at line 877.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
at line 885 of components/nmap/build/amd64/portlist.cc in function 'PortList::setStateReason(unsigned short,
unsigned char, unsigned short, unsigned char, sockaddr_storage const*)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called
at line 877.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
--------
Error: Null pointer dereference (CWE 476)
Read from null pointer 'ServiceNFO::currentProbe(this)'
at line 1813 of components/nmap/build/amd64/service_scan.cc in function
'ServiceNFO::currentprobe_timemsleft(timeval const*)'.
Function 'ServiceNFO::currentProbe()' may return constant 'NULL' at line 1707, called at line 1813.
Null pointer introduced at line 1707 in function 'ServiceNFO::currentProbe()'.
--------
You might wish to review them and see if they are real problems that
need addressing (as opposed to false positives).
Thanks.
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Parfait analysis of nmap 6.25 Rich Burridge (Dec 10)
- Re: Parfait analysis of nmap 6.25 David Fifield (Dec 21)