42 lines
1.6 KiB
Text
42 lines
1.6 KiB
Text
Avoid careless dereferences outside the domain name buffer.
|
|
Part of this is
|
|
https://github.com/nmap/nmap/commit/3adaa69cb211b00f9bfc66263a56cbd87cc9e521
|
|
|
|
Index: nmap_dns.cc
|
|
--- nmap_dns.cc.orig
|
|
+++ nmap_dns.cc
|
|
@@ -1352,7 +1352,7 @@ bool DNS::Factory::ptrToIp(const std::string &ptr, soc
|
|
memset(&ip, 0, sizeof(sockaddr_storage));
|
|
|
|
// Check whether the name ends with the IPv4 PTR domain
|
|
- if (NULL != (p = strcasestr(cptr + ptr.length() + 1 - sizeof(C_IPV4_PTR_DOMAIN), C_IPV4_PTR_DOMAIN)))
|
|
+ if (ptr.length() >= sizeof(C_IPV4_PTR_DOMAIN) - 1 && NULL != (p = strcasestr(cptr + ptr.length() + 1 - sizeof(C_IPV4_PTR_DOMAIN), C_IPV4_PTR_DOMAIN)))
|
|
{
|
|
struct sockaddr_in *ip4 = (struct sockaddr_in *)&ip;
|
|
u8 place_value[] = {1, 10, 100};
|
|
@@ -1361,7 +1361,7 @@ bool DNS::Factory::ptrToIp(const std::string &ptr, soc
|
|
size_t i = 0;
|
|
|
|
p--;
|
|
- while (i < sizeof(ip4->sin_addr.s_addr))
|
|
+ while (p >= cptr && i < sizeof(ip4->sin_addr.s_addr))
|
|
{
|
|
if (*p == '.')
|
|
{
|
|
@@ -1387,14 +1387,14 @@ bool DNS::Factory::ptrToIp(const std::string &ptr, soc
|
|
ip.ss_family = AF_INET;
|
|
}
|
|
// If not, check IPv6
|
|
- else if (NULL != (p = strcasestr(cptr + ptr.length() + 1 - sizeof(C_IPV6_PTR_DOMAIN), C_IPV6_PTR_DOMAIN)))
|
|
+ else if (ptr.length() >= sizeof(C_IPV6_PTR_DOMAIN) - 1 && NULL != (p = strcasestr(cptr + ptr.length() + 1 - sizeof(C_IPV6_PTR_DOMAIN), C_IPV6_PTR_DOMAIN)))
|
|
{
|
|
struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)&ip;
|
|
u8 alt = 0;
|
|
size_t i=0;
|
|
|
|
p--;
|
|
- while (i < sizeof(ip6->sin6_addr.s6_addr))
|
|
+ while (p >= cptr && i < sizeof(ip6->sin6_addr.s6_addr))
|
|
{
|
|
if (*p == '.')
|
|
{
|