FS#59669 - [nbtscan] segfaults

Attached to Project: Community Packages
Opened by RoundCube (RoundCube) - Wednesday, 15 August 2018, 12:53 GMT
Last edited by Levente Polyak (anthraxx) - Saturday, 12 June 2021, 00:35 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
George Rawlinson (rawlinsong)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Scanning with nbtscan may segfault, in my case when scanning the network to which I am connected. With an invalid network ip it doesn't segfault.
It gives a permission denied error directly before the segfault, I'm not sure why it lacks permission as root though

It segfaults with a really short stacktrace:
#0 0x000055fd002217fd n/a (nbtscan)
#1 0x00007fe04f2a4003 __libc_start_main (libc.so.6)
#2 0x000055fd00221eba n/a (nbtscan)

Additional info:
* nbtscan 1.5.1-7
Doing NBT name scan for addresses from 192.168.175.0/24

IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.175.0 Sendto failed: Permission denied
Segmentation fault
This task depends upon

Closed by  Levente Polyak (anthraxx)
Saturday, 12 June 2021, 00:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.6-1
Comment by Bryan (nurfed) - Wednesday, 14 November 2018, 11:52 GMT
Hi,

I had a quick look at this bug and I think I found the issue.

By adding -Wall to the Makefile and recompiling, we get the following build warnings:

nbtscan.c:529:35: warning: implicit declaration of function ‘parse_response’ [-Wimplicit-function-declaration]
hostinfo = (struct nb_host_info*)parse_response(buff, size);
^~~~~~~~~~~~~~
nbtscan.c:529:13: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
hostinfo = (struct nb_host_info*)parse_response(buff, size);

It turns out that the segmentation fault is caused by the hostinfo pointer being modified. (confirmed that with a debugger)
If I believe the following post (https://www.codementor.io/missimer/implicit-int-and-pointers-6tf0vbbi2) then:
The compiler assumes that the parse_response function returns a 4 byte pointer(while it is actually returning a 8 byte pointer).
Since it assumes that the result was 4 bytes, it will try sign extend this 4 byte pointer to an 8 byte pointer, which will overwrite the upper 4 bytes of the hostinfo pointer and this causes the segmentation fault.

Perhaps this is happening now due to (recent?) changes in gcc?

I managed to solve the issue by adding the following line after the includes in "nbtscan.c":
struct nb_host_info* parse_response(char* buff, int buffsize);

As I'm not sure if this would be the best solution, I'm leaving this for the maintainer to decide.

Comment by RoundCube (RoundCube) - Tuesday, 20 November 2018, 11:29 GMT
I can confirm that the above mentioned fix solves the Problem.

Loading...