From 884bde1d7277cb8f3d9bd6241587d5e3e43fc028 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 15 Apr 2026 21:28:35 +0000
Subject: [PATCH] Fix out-of-bounds access in Nping EchoClient

---
 CHANGELOG           |  4 ++++
 nping/EchoClient.cc | 16 ++++++++++------
 nping/EchoHeader.cc |  7 ++++++-
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index a7276394b..7abbbf90f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o Fix a out-of-bounds access in Nping Echo client allowing a malicious Nping
+  EchoServer to zero 32 bytes of memory outside the packet buffer. Reported by
+  Harshit Gupta. [Daniel Miller]
+
 o Fix a 1-byte overrun (read) while reading certain crafted DNS labels,
   reported by Peter Parker. [Daniel Miller]
 
diff --git a/nping/EchoClient.cc b/nping/EchoClient.cc
index cf4184fa8..494ad007f 100644
--- a/nping/EchoClient.cc
+++ b/nping/EchoClient.cc
@@ -593,15 +593,19 @@ int EchoClient::parse_echo(u8 *pkt, size_t pktlen){
   //    return OP_FAILURE;
   //}
 
-//  /* Ensure message length is correct */
-//  if( h.getTotalLength()!=(pktlen/4)){
-//    nping_print(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 );
-//    return OP_FAILURE;
-//  }
+  nping_print(DBG_1, "Received NEP_ECHO pktlen %lu, getTotalLength %u", pktlen, h.getTotalLength()*4 );
+  /* Ensure message length is correct */
+  if( h.getTotalLength()!=(pktlen/4)){
+    nping_print(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 );
+    return OP_FAILURE;
+  }
 
   /* Fix the object's internal state, since the ECHO message was not created
    * by the object but from received data. */
-  h.updateEchoInternals();
+  if (h.updateEchoInternals() != OP_SUCCESS) {
+    nping_print(DBG_1, "NEP_ECHO length check failed");
+    return OP_FAILURE;
+  }
 
   /* Check the authenticity of the received message */
   if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){
diff --git a/nping/EchoHeader.cc b/nping/EchoHeader.cc
index 65c5cb329..5ed7d2af3 100644
--- a/nping/EchoHeader.cc
+++ b/nping/EchoHeader.cc
@@ -773,7 +773,7 @@ int EchoHeader::setPacketLength(u16 len){
 
 u16 EchoHeader::getPacketLength(){
     return ntohs(this->data_echo->packet_len);
-} /* End of setPacketLength() */
+} /* End of getPacketLength() */
 
 
 int EchoHeader::setEchoedPacket(const u8 *pkt, size_t pktlen){
@@ -824,6 +824,11 @@ int EchoHeader::updateEchoInternals(){
   if( this->getMessageType()!=TYPE_NEP_ECHO )
     return OP_FAILURE;
 
+  int totallen = this->getTotalLength() * 4;
+  int packetlen = this->getPacketLength();
+  if ((totallen - STD_NEP_HEADER_LEN - ECHOED_PKT_HEADER_LEN - MAC_LENGTH) < packetlen) {
+    return OP_FAILURE;
+  }
   /* Fix echo bytes length */
   this->echo_bytes=this->getPacketLength();
   if((this->echo_bytes+4)%16!=0){