Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix off-by-one overflow in the IP protocol table #2900

Closed
wants to merge 1 commit into from

Conversation

nnposter
Copy link

@nnposter nnposter commented Aug 4, 2024

The PR contains the following:

  • Fixes protocol_table being defined one element short, which can result in out-of-bounds write. See
    static struct nprotoent *protocol_table[UCHAR_MAX];
    and
    if (res !=2 || protno > UCHAR_MAX) {
  • Fixes assertion that prevents out-of-bounds read from the same table, but is actually one off. This has been documented in Assertion failure with IP protocol scan #2896. See
    assert(num >= 0 && num < UCHAR_MAX);
  • Implements a new constant, representing the largest allowed IP protocol number, to replace hard-coded integers and other abstractions throughout the Nmap code base. A constant with the same meaning is already defined in libdnet-stripped, but buried relatively deep in includes, so the decision was made to create a new one directly in protocols.h.

The PR does not cover IP protocol handling in Nping.

The PR will be committed after August 25, 2024, unless concerns are raised.

@dmiller-nmap
Copy link

Looks good to me. Thanks!

@fyodor
Copy link
Member

fyodor commented Aug 5, 2024

Thanks @nnposter! Please do merge.

@nnposter
Copy link
Author

nnposter commented Aug 8, 2024

Committed as r38951.

@nmap-bot nmap-bot closed this in efa0dc3 Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants