mirror of
https://github.com/nmap/nmap.git
synced 2026-06-29 20:55:29 +00:00
Check embedded IP header is within bounds. Credit: Himanshu Anand
This commit is contained in:
parent
bb6754e76b
commit
d8620dc11d
2 changed files with 8 additions and 1 deletions
|
|
@ -1,5 +1,9 @@
|
|||
#Nmap Changelog ($Id$); -*-text-*-
|
||||
|
||||
o Fixed several issues reported by Himanshu Anand: infinite loop in TCP options
|
||||
parsing and out-of-bounds memory read in IPv4 OS detection; integer underflow
|
||||
in IPv6 extension header processing; and undefined behavior in DNS label parsing.
|
||||
|
||||
o [NSE][GH#3368] Fixed an out-of-memory issue in packet.lua when parsing a
|
||||
zero-length TCP header option. [Maxim Suhanov]
|
||||
|
||||
|
|
|
|||
|
|
@ -2922,7 +2922,10 @@ bool HostOsScan::processTUdpResp(HostOsScanStats *hss, const struct ip *ip, cons
|
|||
|
||||
const u8 *ip2pkt = icmppkt + 8;
|
||||
memcpy(&ip2, ip2pkt, sizeof(ip2));
|
||||
const u8 *udppkt = ip2pkt + 4 * ip2.ip_hl;
|
||||
unsigned int ip2hlen = 4 * ip2.ip_hl;
|
||||
if (icmplen < 8 + ip2hlen + sizeof(udp))
|
||||
return false;
|
||||
const u8 *udppkt = ip2pkt + ip2hlen;
|
||||
memcpy(&udp, udppkt, sizeof(udp));
|
||||
|
||||
/* The ports should match. */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue