alpine 3.6
buffer weakness #28

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

nmap/src/nmap-7.40/nping/ProbeMode.cc

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

             }else{
                IPv4Header iphdr;
                if( iphdr.storeRecvData(packet, packetlen)!=OP_SUCCESS )
                    nping_warning(QT_1, "RCVD (%.4fs) Bogus packet received.", o.stats.elapsedRuntime(t));
                if( iphdr.getVersion()==4 || iphdr.getVersion()==6){
                    ip=true;
                }else{
                    nping_warning(QT_1, "RCVD (%.4fs) Unsupported protocol.", o.stats.elapsedRuntime(t));
                    print_hexdump(VB_3, packet, packetlen);
                    return;
                }
            }

            /* Packet is IP */
            if(ip){
                getPacketStrInfo("IP",(const u8*)packet, packetlen, buffer, 512);
                proto = getProtoFromIPPacket((u8*)packet, packetlen);
                if (proto == IPPROTO_UDP || proto == IPPROTO_TCP){
                    /* for UDP/TCP we print out and update the global total straight away
                    since we know that pcap only found packets from connections that we
                    opened */
                    snprintf(final_output, sizeof(final_output), "RCVD (%.4fs) %s\n", o.stats.elapsedRuntime(t), buffer);
                    if( o.getVerbosity() >= VB_3 ){
                        hex=hexdump(packet, packetlen);
                        strncat(final_output, hex, sizeof(final_output)-1);
                        free(hex);
                    }
                    prevtime=pcaptime;

                    /* Statistics */
                    o.stats.addRecvPacket(packetlen);

                    /* Then we check for a target and a port and do the individual statistics */
                    trg=o.targets.findTarget( getSrcSockAddrFromIPPacket((u8*)packet, packetlen) );

                    if(trg != NULL){
                        prt=getSrcPortFromIPPacket((u8*)packet, packetlen);
                        if( prt!=NULL )
                            trg->setProbeRecvTCP(*prt, 0);
                    }
                }else if (proto==IPPROTO_ICMP || proto==IPPROTO_ICMPV6){
                    /* we look for a target based on first src addr and second the dest addr of
                    the packet header which is returned in the ICMP packet */
                    trg = is_response_icmp(packet, packetlen);

                    /* In the case of ICMP we only do any printing and statistics if we
                    found a target - otherwise it could be a packet that is nothing
                    to do with us */
                    if(trg!=NULL){
                        snprintf(final_output, sizeof(final_output), "RCVD (%.4fs) %s\n", o.stats.elapsedRuntime(t), buffer); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.