Check embedded IP header is within bounds. Credit: Himanshu Anand

2026-06-29 20:55:29 +00:00 · 2026-06-25 21:58:49 +00:00 · 2026-06-25 21:58:49 +00:00 · d8620dc11d
commit d8620dc11d
parent bb6754e76b
2 changed files with 8 additions and 1 deletions
--- a/4
+++ b/4
@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-

+o Fixed several issues reported by Himanshu Anand: infinite loop in TCP options
+  parsing and out-of-bounds memory read in IPv4 OS detection; integer underflow
+  in IPv6 extension header processing; and undefined behavior in DNS label parsing.
+
 o [NSE][GH#3368] Fixed an out-of-memory issue in packet.lua when parsing a
  zero-length TCP header option. [Maxim Suhanov]

--- a/osscan2.cc
+++ b/osscan2.cc
@ -2922,7 +2922,10 @@ bool HostOsScan::processTUdpResp(HostOsScanStats *hss, const struct ip *ip, cons

  const u8 *ip2pkt = icmppkt + 8;
  memcpy(&ip2, ip2pkt, sizeof(ip2));
-  const u8 *udppkt = ip2pkt + 4 * ip2.ip_hl;
+  unsigned int ip2hlen = 4 * ip2.ip_hl;
+  if (icmplen < 8 + ip2hlen + sizeof(udp))
+    return false;
+  const u8 *udppkt = ip2pkt + ip2hlen;
  memcpy(&udp, udppkt, sizeof(udp));

  /* The ports should match. */