nmap 7.94 produces invalid XML output

[firefart]

Describe the bug
nmap 7.94 seems to produce invalid xml output. This happens when a service name has some special characters for example. In my case it only happened on port 445 so it might be related to the samba modules only. When loading such a XML with the perl nmap parser for example, you get an error about reference to invalid character number at ....

To Reproduce
Example XML parts:

<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="62"/><service name="0M&#xec;&#x1;" product="Samba smbd" version="3.6.23-53.el6_10" extrainfo="workgroup: REDACTED" method="probed" conf="10"><cpe>cpe:/a:samba:samba</cpe></service></port>

<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="122"/><service name="ife-biteP&#x1b;" product="Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds" ostype="Windows Server 2008 R2 - 2012" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>

 and so on is not allowed in XML and results in errors when trying to parse those files with xml libraries (perl for example)

Expected behavior
The service name should be in a CDATA section I believe

Version info (please complete the following information):

Nmap version 7.94 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.4.4 openssl-3.0.8 nmap-libssh2-1.10.0 nmap-libz-1.2.13 nmap-libpcre-7.6 nmap-libpcap-1.10.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

[dmiller-nmap]

Thanks for reporting this. The service name in this case should not be any of these things, so this is evidence of a different bug. However, I'm leaving this issue as-is because we can perhaps change the XML-escaping code to avoid including characters with these codes.

For reference: https://www.w3.org/TR/xml11/#charsets

[dmiller-nmap]

What is the command you used that produced the invalid characters in the service name? Can you try adding --script-args script-intensity=0 or --version-light and see if it changes?

[firefart]

This can be reproduced with nmap -sSV -A -p 445. Also the normal output is wrong so it looks like some smb script changed between 7.93 and 7.94 and produces some invalid output? (never had this issue on 7.93)

When using the 2 suggested parameters the service name is empty

[dmiller-nmap]

Thanks for the additional info. I can reproduce a similar buggy output with the simpler command: nmap --script smb-os-discovery -p 445

[dmiller-nmap]

Valgrind shows that there are multiple cases where data is being read from a block previously freed during NSE garbage collection. Most likely, all the strings set as part of nmap.set_port_version() are being freed as a result of the new garbage collection in Lua 5.4. They need to be separately allocated from Nmap's own string pool or referenced in some way so that Lua doesn't collect them.

[gudoshnikovn]

Hi!
I ran into the same problem.
Judging by the attached commit, it has already been fixed. And judging by the code, it has only been fixed since release 7.95. I updated the nmap version to the current one (7.98) until I encountered a repeat error.

Perhaps it's worth closing this issue?