Bug#853570: marked as pending
Raphael Hertzog
hertzog at debian.org
Fri Aug 25 14:37:14 UTC 2017
Hi,
On Fri, 25 Aug 2017, Gianfranco Costamagna wrote:
> I see fedora is carrying the following patch:
> diff -ru ncrack-0.5/ncrack_resume.cc ncrack-0.5.new/ncrack_resume.cc
> --- ncrack-0.5/ncrack_resume.cc 2016-04-10 18:56:02.000000000 +0200
> +++ ncrack-0.5.new/ncrack_resume.cc 2017-04-13 17:53:09.369522756 +0200
> @@ -520,7 +520,7 @@
>
> j = 0;
> buf[j++] = *q;
> - while (q != '\0' && j < sizeof(buf)) {
> + while ((q != NULL) && (j < sizeof(buf))) {
> q++;
> if (q - filestr >= filelen)
> fatal("Corrupted file! Error 5\n");
>
> isn't it better (I think your approach might lead to segfaults in case the pointer
> is NULL).
The line before has "*q", so if q is NULL, you get a segfault on the line
above. On the opposite, in the loop, q is increased every time, so if you
have a valid non-NULL address, it's never going to become NULL magically,
it just increases by one.
So the Fedora patch is busted just like the upstream code was busted (it
was always consuming everyhing until the buffer was full instead of
stopping when you get a null character marking the end of the string).
That was my analysis and I submitted this upstream so let's see what
upstream will say:
https://github.com/nmap/ncrack/pull/29
> (I'm uploading the following patch right now)
Why are you uploading anything at all since I dealt with the issue?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the Pkg-security-team
mailing list