Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed undefined behavior in netmask generation #1717 #1718

Closed
wants to merge 1 commit into from
Closed

Fixed undefined behavior in netmask generation #1717 #1718

wants to merge 1 commit into from

Conversation

rfrohl
Copy link

@rfrohl rfrohl commented Aug 28, 2019

Tested this change on x86_64, i586, ppc, ppc64, ppc64le, aarch64 and s390x. Unit tests passed successfully on these architectures.

Also played around with the test binary (addrset) a bit and could not find any obvious problems with the change.

nnposter
nnposter reviewed Aug 31, 2019
View changes
Copy link

@nnposter nnposter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Over at #1717 I have proposed an alternate patch, which also disposes of the rather complex arithmetic in the original code.

nbase/nbase_addrset.c
@@ -500,7 +500,7 @@ static int sockaddr_to_mask (const struct sockaddr *sa, int bits, u32 *mask)
mask[i] = 0;
}
else {
mask[i] = ~((1 << (unmasked_bits - (32 * (4 - i)))) - 1);
mask[i] = ~(0xffffffff % (1 << unmasked_bits));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code suffers from a similar issue as the original one: There is no guaranteed outcome when unmasked_bits exceeds 31. As an example:

#include <stdio.h>
void main ()
{
int m=32;
printf("%08x\n%08x\n",(0xFFFFFFFF<<(m-1)<<1),(0xFFFFFFFF<<m));
}

When compiled with GCC on Ubuntu 18.04 x64:

$ ./a.out 
00000000
ffffffff

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assumed that it would hit another branch if unmasked_bits is a multiple of 32. But I my understanding of how mask is used in the rest of the code is limited, so I might miss something here.

Will test the other patch from the ticket on Monday

@nnposter nnposter self-assigned this Aug 31, 2019
@nmap-bot nmap-bot closed this in 9e8852a Sep 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nnposter nnposter nnposter left review comments

Assignees

@nnposter nnposter

Labels
bug Nmap
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rfrohl @nnposter