FS#59669 - [nbtscan] segfaults
Attached to Project:
Community Packages
Opened by RoundCube (RoundCube) - Wednesday, 15 August 2018, 12:53 GMT
Last edited by Levente Polyak (anthraxx) - Saturday, 12 June 2021, 00:35 GMT
Opened by RoundCube (RoundCube) - Wednesday, 15 August 2018, 12:53 GMT
Last edited by Levente Polyak (anthraxx) - Saturday, 12 June 2021, 00:35 GMT
|
Details
Description:
Scanning with nbtscan may segfault, in my case when scanning the network to which I am connected. With an invalid network ip it doesn't segfault. It gives a permission denied error directly before the segfault, I'm not sure why it lacks permission as root though It segfaults with a really short stacktrace: #0 0x000055fd002217fd n/a (nbtscan) #1 0x00007fe04f2a4003 __libc_start_main (libc.so.6) #2 0x000055fd00221eba n/a (nbtscan) Additional info: * nbtscan 1.5.1-7 Doing NBT name scan for addresses from 192.168.175.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.175.0 Sendto failed: Permission denied Segmentation fault |
This task depends upon
Closed by Levente Polyak (anthraxx)
Saturday, 12 June 2021, 00:35 GMT
Reason for closing: Fixed
Additional comments about closing: 1.6-1
Saturday, 12 June 2021, 00:35 GMT
Reason for closing: Fixed
Additional comments about closing: 1.6-1
I had a quick look at this bug and I think I found the issue.
By adding -Wall to the Makefile and recompiling, we get the following build warnings:
nbtscan.c:529:35: warning: implicit declaration of function ‘parse_response’ [-Wimplicit-function-declaration]
hostinfo = (struct nb_host_info*)parse_response(buff, size);
^~~~~~~~~~~~~~
nbtscan.c:529:13: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
hostinfo = (struct nb_host_info*)parse_response(buff, size);
It turns out that the segmentation fault is caused by the hostinfo pointer being modified. (confirmed that with a debugger)
If I believe the following post (https://www.codementor.io/missimer/implicit-int-and-pointers-6tf0vbbi2) then:
The compiler assumes that the parse_response function returns a 4 byte pointer(while it is actually returning a 8 byte pointer).
Since it assumes that the result was 4 bytes, it will try sign extend this 4 byte pointer to an 8 byte pointer, which will overwrite the upper 4 bytes of the hostinfo pointer and this causes the segmentation fault.
Perhaps this is happening now due to (recent?) changes in gcc?
I managed to solve the issue by adding the following line after the includes in "nbtscan.c":
struct nb_host_info* parse_response(char* buff, int buffsize);
As I'm not sure if this would be the best solution, I'm leaving this for the maintainer to decide.