From 91ea799a8bb78af307bb21bd1167fff72c2527a4 Mon Sep 17 00:00:00 2001 From: dmiller Date: Thu, 30 Apr 2026 22:02:00 +0000 Subject: [PATCH] Ensure null termination on copied strings --- CHANGELOG | 5 ++++- idle_scan.cc | 11 ++++------- nbase/inet_ntop.c | 2 +- output.cc | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 32d2e7378..2d42dac1e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,11 +1,14 @@ #Nmap Changelog ($Id$); -*-text-*- +o Fix a crash when writing long CPE strings to output. Reported by Harshit + Gupta. [Daniel Miller] + o [Ncat] Fix several cases where Ncat's SOCKS5 client could interpret uninitialized data as protocol data, triggered by a malicious SOCKS5 proxy server. No code execution or application crash is possible. Reported by Govind Pratap Singh. [Daniel Miller] -o Fix a out-of-bounds access in Nping Echo client allowing a malicious Nping +o [Nping] Fix a out-of-bounds access in Nping Echo client allowing a malicious Nping EchoServer to zero 32 bytes of memory outside the packet buffer. Reported by Harshit Gupta. [Daniel Miller] diff --git a/idle_scan.cc b/idle_scan.cc index 84ef09e3f..200aeeda2 100644 --- a/idle_scan.cc +++ b/idle_scan.cc @@ -522,17 +522,14 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, if (o.af() == AF_INET && q != NULL ) { /* I'm lazy, using a size_t we already had around */ sslen = MIN(strcspn(proxyName,":"), sizeof(name) - 1); - strncpy(name, proxyName, sslen); - /* Ensure NULL termination */ - name[sslen] = '\0'; + Strncpy(name, proxyName, sslen); } else if (o.af() == AF_INET6 && strchr(proxyName, '[') != NULL && strchr(proxyName, ']') != NULL) { sslen = MIN(strcspn(proxyName,"]") - strcspn(proxyName, "[") - 1, sizeof(name) - 1); - strncpy(name, strchr(proxyName, '[') + 1, sslen); - name[sslen] = '\0'; + Strncpy(name, strchr(proxyName, '[') + 1, sslen); } else - strncpy(name, proxyName, sizeof(name)); + Strncpy(name, proxyName, sizeof(name)); if (q) { q++; @@ -1357,7 +1354,7 @@ void idle_scan(Target *target, u16 *portarray, int numports, /* If this is the first call, */ if (!*lastproxy) { initialize_idleproxy(&proxy, proxyName, target, ports); - strncpy(lastproxy, proxyName, sizeof(lastproxy)); + Strncpy(lastproxy, proxyName, sizeof(lastproxy)); } /* If we don't have timing infoz for the new target, we'll use values diff --git a/nbase/inet_ntop.c b/nbase/inet_ntop.c index da2562345..a4bf40b70 100644 --- a/nbase/inet_ntop.c +++ b/nbase/inet_ntop.c @@ -247,7 +247,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size) #endif return (NULL); } - strncpy(dst, tmp, size); + Strncpy(dst, tmp, size); return (dst); } #endif diff --git a/output.cc b/output.cc index 5d962d754..aff3d96e4 100644 --- a/output.cc +++ b/output.cc @@ -2099,7 +2099,7 @@ void printserviceinfooutput(const Target *currenths) { if (!hostname_tbl[i][0]) { numhostnames++; - strncpy(&hostname_tbl[i][0], sd.hostname, sizeof(hostname_tbl[i])); + Strncpy(&hostname_tbl[i][0], sd.hostname, sizeof(hostname_tbl[i])); break; } } @@ -2112,7 +2112,7 @@ void printserviceinfooutput(const Target *currenths) { if (!ostype_tbl[i][0]) { numostypes++; - strncpy(&ostype_tbl[i][0], sd.ostype, sizeof(ostype_tbl[i])); + Strncpy(&ostype_tbl[i][0], sd.ostype, sizeof(ostype_tbl[i])); break; } } @@ -2125,7 +2125,7 @@ void printserviceinfooutput(const Target *currenths) { if (!devicetype_tbl[i][0]) { numdevicetypes++; - strncpy(&devicetype_tbl[i][0], sd.devicetype, sizeof(devicetype_tbl[i])); + Strncpy(&devicetype_tbl[i][0], sd.devicetype, sizeof(devicetype_tbl[i])); break; } } @@ -2145,7 +2145,7 @@ void printserviceinfooutput(const Target *currenths) { if (!cpe_tbl[i][0]) { numcpes++; - strncpy(&cpe_tbl[i][0], *it, sizeof(cpe_tbl[i])); + Strncpy(&cpe_tbl[i][0], *it, sizeof(cpe_tbl[i])); break; } }