Fixed a bug in --data-length parsing. User input was not being checked and in some cases that resulted in useless buffer allocations and unpredictable payload lengths. Check http://seclists.org/nmap-dev/2009/q2/0763.html for a complete description of the problem.

2026-06-19 15:08:40 +00:00 · 2009-07-04 21:15:13 +00:00 · 2009-07-04 21:15:13 +00:00 · 98aedb8d1c
commit 98aedb8d1c
parent 7da44a92ef
2 changed files with 11 additions and 7 deletions
--- a/nmap.cc
+++ b/nmap.cc
@ -900,13 +900,13 @@ int nmap_main(int argc, char *argv[]) {
 	o.setVersionTrace(true);
 	o.debugging++;
      } else if (optcmp(long_options[option_index].name, "data-length") == 0) {
-	o.extra_payload_length = atoi(optarg);
-	if (o.extra_payload_length < 0) {
-	  fatal("data-length must be greater than 0");
-	} else if (o.extra_payload_length > 0) {
-	  o.extra_payload = (char *) safe_malloc(o.extra_payload_length);
-	  get_random_bytes(o.extra_payload, o.extra_payload_length);
-	}
+    o.extra_payload_length = (int)strtoll( optarg, NULL, 10);
+    if (o.extra_payload_length < 1 || o.extra_payload_length > MAX_PAYLOAD_ALLOWED)
+      fatal("data-length must be between 1 and %d", MAX_PAYLOAD_ALLOWED);
+    if (o.extra_payload_length > 1400 ) /* 1500 - IP with opts - TCP with opts. */
+      error("WARNING: Payloads bigger than 1400 bytes may not be sent successfully.");
+    o.extra_payload = (char *) safe_malloc(o.extra_payload_length);
+    get_random_bytes(o.extra_payload, o.extra_payload_length);
      } else if (optcmp(long_options[option_index].name, "send-eth") == 0) {
 	o.sendpref = PACKET_SEND_ETH_STRONG;
      } else if (optcmp(long_options[option_index].name, "send-ip") == 0) {
--- a/nmap.h
+++ b/nmap.h
@ -399,6 +399,10 @@ void *realloc();
 #define MAXHOSTNAMELEN 64
 #endif

+/* Max payload: Worst case is IPv4 with 40bytes of options and TCP with 20
+ * bytes of options. */
+#define MAX_PAYLOAD_ALLOWED 65535-60-40
+
 #ifndef recvfrom6_t
 #  define recvfrom6_t int
 #endif