alpine 3.6
buffer weakness #27

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

nmap/src/nmap-7.40/nping/ProbeMode.cc

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 
                    /* Statistics */
                    o.stats.addRecvPacket(packetlen);

                    /* Then we check for a target and a port and do the individual statistics */
                    trg=o.targets.findTarget( getSrcSockAddrFromIPPacket((u8*)packet, packetlen) );

                    if(trg != NULL){
                        prt=getSrcPortFromIPPacket((u8*)packet, packetlen);
                        if( prt!=NULL )
                            trg->setProbeRecvTCP(*prt, 0);
                    }
                }else if (proto==IPPROTO_ICMP || proto==IPPROTO_ICMPV6){
                    /* we look for a target based on first src addr and second the dest addr of
                    the packet header which is returned in the ICMP packet */
                    trg = is_response_icmp(packet, packetlen);

                    /* In the case of ICMP we only do any printing and statistics if we
                    found a target - otherwise it could be a packet that is nothing
                    to do with us */
                    if(trg!=NULL){
                        snprintf(final_output, sizeof(final_output), "RCVD (%.4fs) %s\n", o.stats.elapsedRuntime(t), buffer);
                        if( o.getVerbosity() >= VB_3 ){
                            hex=hexdump(packet, packetlen);
                            strncat(final_output, hex, sizeof(final_output)-1);
                            free(hex);
                        }
                        prevtime=pcaptime;
                        o.stats.addRecvPacket(packetlen);
                        trg->setProbeRecvICMP(0, 0);
                    }
                }

            /* Packet is ARP */
            }else{
                getPacketStrInfo("ARP",(const u8*)packet, packetlen, buffer, 512);
                nping_print(VB_0, "RCVD (%.4fs) %s", o.stats.elapsedRuntime(t), buffer );
                o.stats.addRecvPacket(packetlen);
                print_hexdump(VB_3 | NO_NEWLINE, packet, packetlen);
                /* TODO: find target and call setProbeRecvARP() */
            }

            if( o.getRole() == ROLE_CLIENT ){
                int delay=(int)MIN(o.getDelay()*0.33, 333);
                ev_id=nsock_timer_create(nsp, probe_delayed_output_handler, delay, NULL);
                o.setDelayedRcvd(final_output, ev_id);
            }
            else
                nping_print(VB_0|NO_NEWLINE, "%s", final_output);
        break; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.