2 files changed, 166 insertions, 0 deletions
diff --git a/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch b/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch
new file mode 100644
index 0000000000..bcb04250bb
--- /dev/null
+++ b/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch
@@ -0,0 +1,165 @@
+From 364d089250d1acf459e9e8580161e7bb06268106 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@fujitsu.com>
+Date: Tue, 15 Oct 2024 02:47:38 +0000
+Subject: [PATCH] Fix off-by-one overflow in the IP protocol table.
+Fixes #2896, closes #2897, closes #2900
+Upstream-Status: Backport [https://github.com/nmap/nmap/commit/efa0dc36f2ecade6ba8d2ed25dd4d5fbffdea308]
+Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
+---
+ CHANGELOG     |  3 +++
+ portlist.cc   |  8 ++++----
+ protocols.cc  |  6 +++---
+ protocols.h   |  2 ++
+ scan_lists.cc | 10 +++++-----
+ 5 files changed, 17 insertions(+), 12 deletions(-)
+diff --git a/CHANGELOG b/CHANGELOG
+index f01262c..5b204bd 100644
+--- a/CHANGELOG
+++ b/CHANGELOG
+@@ -1,5 +1,8 @@
+ #Nmap Changelog ($Id: CHANGELOG 38849 2024-04-18 17:16:42Z dmiller $); -*-text-*-
+ 
+o [GH#2900, GH#2896, GH#2897] Nmap is now able to scan IP protocol 255.
+  [nnposter]
+
+ Nmap 7.95 [2024-04-19]
+ 
+ o [Windows] Upgraded Npcap (our Windows raw packet capturing and
+diff --git a/portlist.cc b/portlist.cc
+index 8258853..cd08437 100644
+--- a/portlist.cc
+++ b/portlist.cc
+@@ -480,7 +480,7 @@ void PortList::setPortState(u16 portno, u8 protocol, int state, int *oldstate) {
+       state != PORT_CLOSEDFILTERED)
+     fatal("%s: attempt to add port number %d with illegal state %d\n", __func__, portno, state);
+ 
+-  assert(protocol!=IPPROTO_IP || portno<256);
+  assert(protocol!=IPPROTO_IP || portno<=MAX_IPPROTONUM);
+ 
+   bool created = false;
+   current = createPort(portno, protocol, &created);
+@@ -566,7 +566,7 @@ Port *PortList::nextPort(const Port *cur, Port *next,
+   if (cur) {
+     proto = INPROTO2PORTLISTPROTO(cur->proto);
+     assert(port_map[proto]!=NULL); // Hmm, it's not possible to handle port that doesn't have anything in map
+-    assert(cur->proto!=IPPROTO_IP || cur->portno<256);
+    assert(cur->proto!=IPPROTO_IP || cur->portno<=MAX_IPPROTONUM);
+     mapped_pno = port_map[proto][cur->portno];
+     mapped_pno++; //  we're interested in next port after current
+   } else { // running for the first time
+@@ -615,7 +615,7 @@ void PortList::mapPort(u16 *portno, u8 *protocol) const {
+   mapped_protocol = INPROTO2PORTLISTPROTO(*protocol);
+ 
+   if (*protocol == IPPROTO_IP)
+-    assert(*portno < 256);
+    assert(*portno <= MAX_IPPROTONUM);
+   if(port_map[mapped_protocol]==NULL || port_list[mapped_protocol]==NULL) {
+     fatal("%s(%i,%i): you're trying to access uninitialized protocol", __func__, *portno, *protocol);
+   }
+@@ -713,7 +713,7 @@ int PortList::port_list_count[PORTLIST_PROTO_MAX];
+  * should be sorted. */
+ void PortList::initializePortMap(int protocol, u16 *ports, int portcount) {
+   int i;
+-  int ports_max = (protocol == IPPROTO_IP) ? 256 : 65536;
+  int ports_max = (protocol == IPPROTO_IP) ? MAX_IPPROTONUM + 1 : 65536;
+   int proto = INPROTO2PORTLISTPROTO(protocol);
+ 
+   if (port_map[proto] != NULL || port_map_rev[proto] != NULL)
+diff --git a/protocols.cc b/protocols.cc
+index 76e42c7..85e55e4 100644
+--- a/protocols.cc
+++ b/protocols.cc
+@@ -79,7 +79,7 @@ struct strcmp_comparator {
+ 
+ // IP Protocol number is 8 bits wide
+ // protocol_table[IPPROTO_TCP] == {"tcp", 6}
+-static struct nprotoent *protocol_table[UCHAR_MAX];
+static struct nprotoent *protocol_table[MAX_IPPROTONUM + 1];
+ // proto_map["tcp"] = {"tcp", 6}
+ typedef std::map<const char *, struct nprotoent, strcmp_comparator> ProtoMap;
+ static ProtoMap proto_map;
+@@ -119,7 +119,7 @@ static int nmap_protocols_init() {
+     if (*p == '#' || *p == '\0')
+       continue;
+     res = sscanf(line, "%127s %hu", protocolname, &protno);
+-    if (res !=2 || protno > UCHAR_MAX) {
+    if (res !=2 || protno > MAX_IPPROTONUM) {
+       error("Parse error in protocols file %s line %d", filename, lineno);
+       continue;
+     }
+@@ -191,7 +191,7 @@ const struct nprotoent *nmap_getprotbynum(int num) {
+   if (nmap_protocols_init() == -1)
+     return NULL;
+ 
+-  assert(num >= 0 && num < UCHAR_MAX);
+  assert(num >= 0 && num <= MAX_IPPROTONUM);
+   return protocol_table[num];
+ }
+ 
+diff --git a/protocols.h b/protocols.h
+index 8934284..2de0aa4 100644
+--- a/protocols.h
+++ b/protocols.h
+@@ -79,6 +79,8 @@ int addprotocolsfromservmask(char *mask, u8 *porttbl);
+ const struct nprotoent *nmap_getprotbynum(int num);
+ const struct nprotoent *nmap_getprotbyname(const char *name);
+ 
+#define MAX_IPPROTONUM 255
+
+ #define MAX_IPPROTOSTRLEN 4
+ #define IPPROTO2STR(p)         \
+   ((p)==IPPROTO_TCP ? "tcp" :  \
+diff --git a/scan_lists.cc b/scan_lists.cc
+index f02e279..ebe1357 100644
+--- a/scan_lists.cc
+++ b/scan_lists.cc
+@@ -165,7 +165,7 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
+       ports->udp_count++;
+     if (porttbl[i] & SCAN_SCTP_PORT)
+       ports->sctp_count++;
+-    if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
+    if (porttbl[i] & SCAN_PROTOCOLS && i <= MAX_IPPROTONUM)
+       ports->prot_count++;
+   }
+ 
+@@ -192,7 +192,7 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
+       ports->udp_ports[udpi++] = i;
+     if (porttbl[i] & SCAN_SCTP_PORT)
+       ports->sctp_ports[sctpi++] = i;
+-    if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
+    if (porttbl[i] & SCAN_PROTOCOLS && i <= MAX_IPPROTONUM)
+       ports->prots[proti++] = i;
+   }
+ 
+@@ -388,7 +388,7 @@ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_
+     } else if (isdigit((int) (unsigned char) *current_range)) {
+       rangestart = strtol(current_range, &endptr, 10);
+       if (range_type & SCAN_PROTOCOLS) {
+-        if (rangestart < 0 || rangestart > 255)
+        if (rangestart < 0 || rangestart > MAX_IPPROTONUM)
+           fatal("Protocols specified must be between 0 and 255 inclusive");
+       } else {
+         if (rangestart < 0 || rangestart > 65535)
+@@ -429,13 +429,13 @@ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_
+       if (!*current_range || *current_range == ',' || *current_range == ']') {
+         /* Ended with a -, meaning up until the last possible port */
+         if (range_type & SCAN_PROTOCOLS)
+-          rangeend = 255;
+          rangeend = MAX_IPPROTONUM;
+         else
+           rangeend = 65535;
+       } else if (isdigit((int) (unsigned char) *current_range)) {
+         rangeend = strtol(current_range, &endptr, 10);
+         if (range_type & SCAN_PROTOCOLS) {
+-          if (rangeend < 0 || rangeend > 255)
+          if (rangeend < 0 || rangeend > MAX_IPPROTONUM)
+             fatal("Protocols specified must be between 0 and 255 inclusive");
+         } else {
+           if (rangeend < 0 || rangeend > 65535)
+-- 
+2.34.1
diff --git a/meta-oe/recipes-security/nmap/nmap_7.95.bb b/meta-oe/recipes-security/nmap/nmap_7.95.bb
index 79c28e71f0..a319be4fb0 100644
--- a/meta-oe/recipes-security/nmap/nmap_7.95.bb
+++ b/meta-oe/recipes-security/nmap/nmap_7.95.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \
           file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \
           file://0001-Include-time.h-header-to-pass-clang-compilation.patch \
           file://0002-Fix-building-with-libc.patch \
+           file://0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch \
           "
 SRC_URI[sha256sum] = "e14ab530e47b5afd88f1c8a2bac7f89cd8fe6b478e22d255c5b9bddb7a1c5778" 
 inherit autotools-brokensep pkgconfig python3native

diff --git a/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch b/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch new file mode 100644 index 0000000000..bcb04250bb --- /dev/null +++ b/meta-oe/recipes-security/nmap/files/0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch
@@ -0,0 +1,165 @@
		1	From 364d089250d1acf459e9e8580161e7bb06268106 Mon Sep 17 00:00:00 2001
		2	From: Wang Mingyu <wangmy@fujitsu.com>
		3	Date: Tue, 15 Oct 2024 02:47:38 +0000
		4	Subject: [PATCH] Fix off-by-one overflow in the IP protocol table.
		5
		6	Fixes #2896, closes #2897, closes #2900
		7
		8	Upstream-Status: Backport [https://github.com/nmap/nmap/commit/efa0dc36f2ecade6ba8d2ed25dd4d5fbffdea308]
		9
		10	Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
		11	---
		12	CHANGELOG \| 3 +++
		13	portlist.cc \| 8 ++++----
		14	protocols.cc \| 6 +++---
		15	protocols.h \| 2 ++
		16	scan_lists.cc \| 10 +++++-----
		17	5 files changed, 17 insertions(+), 12 deletions(-)
		18
		19	diff --git a/CHANGELOG b/CHANGELOG
		20	index f01262c..5b204bd 100644
		21	--- a/CHANGELOG
		22	+++ b/CHANGELOG
		23	@@ -1,5 +1,8 @@
		24	#Nmap Changelog ($Id: CHANGELOG 38849 2024-04-18 17:16:42Z dmiller $); --text--
		25
		26	+o [GH#2900, GH#2896, GH#2897] Nmap is now able to scan IP protocol 255.
		27	+ [nnposter]
		28	+
		29	Nmap 7.95 [2024-04-19]
		30
		31	o [Windows] Upgraded Npcap (our Windows raw packet capturing and
		32	diff --git a/portlist.cc b/portlist.cc
		33	index 8258853..cd08437 100644
		34	--- a/portlist.cc
		35	+++ b/portlist.cc
		36	@@ -480,7 +480,7 @@ void PortList::setPortState(u16 portno, u8 protocol, int state, int *oldstate) {
		37	state != PORT_CLOSEDFILTERED)
		38	fatal("%s: attempt to add port number %d with illegal state %d\n", __func__, portno, state);
		39
		40	- assert(protocol!=IPPROTO_IP \|\| portno<256);
		41	+ assert(protocol!=IPPROTO_IP \|\| portno<=MAX_IPPROTONUM);
		42
		43	bool created = false;
		44	current = createPort(portno, protocol, &created);
		45	@@ -566,7 +566,7 @@ Port PortList::nextPort(const Port cur, Port *next,
		46	if (cur) {
		47	proto = INPROTO2PORTLISTPROTO(cur->proto);
		48	assert(port_map[proto]!=NULL); // Hmm, it's not possible to handle port that doesn't have anything in map
		49	- assert(cur->proto!=IPPROTO_IP \|\| cur->portno<256);
		50	+ assert(cur->proto!=IPPROTO_IP \|\| cur->portno<=MAX_IPPROTONUM);
		51	mapped_pno = port_map[proto][cur->portno];
		52	mapped_pno++; // we're interested in next port after current
		53	} else { // running for the first time
		54	@@ -615,7 +615,7 @@ void PortList::mapPort(u16 portno, u8 protocol) const {
		55	mapped_protocol = INPROTO2PORTLISTPROTO(*protocol);
		56
		57	if (*protocol == IPPROTO_IP)
		58	- assert(*portno < 256);
		59	+ assert(*portno <= MAX_IPPROTONUM);
		60	if(port_map[mapped_protocol]==NULL \|\| port_list[mapped_protocol]==NULL) {
		61	fatal("%s(%i,%i): you're trying to access uninitialized protocol", __func__, portno, protocol);
		62	}
		63	@@ -713,7 +713,7 @@ int PortList::port_list_count[PORTLIST_PROTO_MAX];
		64	* should be sorted. */
		65	void PortList::initializePortMap(int protocol, u16 *ports, int portcount) {
		66	int i;
		67	- int ports_max = (protocol == IPPROTO_IP) ? 256 : 65536;
		68	+ int ports_max = (protocol == IPPROTO_IP) ? MAX_IPPROTONUM + 1 : 65536;
		69	int proto = INPROTO2PORTLISTPROTO(protocol);
		70
		71	if (port_map[proto] != NULL \|\| port_map_rev[proto] != NULL)
		72	diff --git a/protocols.cc b/protocols.cc
		73	index 76e42c7..85e55e4 100644
		74	--- a/protocols.cc
		75	+++ b/protocols.cc
		76	@@ -79,7 +79,7 @@ struct strcmp_comparator {
		77
		78	// IP Protocol number is 8 bits wide
		79	// protocol_table[IPPROTO_TCP] == {"tcp", 6}
		80	-static struct nprotoent *protocol_table[UCHAR_MAX];
		81	+static struct nprotoent *protocol_table[MAX_IPPROTONUM + 1];
		82	// proto_map["tcp"] = {"tcp", 6}
		83	typedef std::map<const char *, struct nprotoent, strcmp_comparator> ProtoMap;
		84	static ProtoMap proto_map;
		85	@@ -119,7 +119,7 @@ static int nmap_protocols_init() {
		86	if (p == '#' \|\| p == '\0')
		87	continue;
		88	res = sscanf(line, "%127s %hu", protocolname, &protno);
		89	- if (res !=2 \|\| protno > UCHAR_MAX) {
		90	+ if (res !=2 \|\| protno > MAX_IPPROTONUM) {
		91	error("Parse error in protocols file %s line %d", filename, lineno);
		92	continue;
		93	}
		94	@@ -191,7 +191,7 @@ const struct nprotoent *nmap_getprotbynum(int num) {
		95	if (nmap_protocols_init() == -1)
		96	return NULL;
		97
		98	- assert(num >= 0 && num < UCHAR_MAX);
		99	+ assert(num >= 0 && num <= MAX_IPPROTONUM);
		100	return protocol_table[num];
		101	}
		102
		103	diff --git a/protocols.h b/protocols.h
		104	index 8934284..2de0aa4 100644
		105	--- a/protocols.h
		106	+++ b/protocols.h
		107	@@ -79,6 +79,8 @@ int addprotocolsfromservmask(char mask, u8 porttbl);
		108	const struct nprotoent *nmap_getprotbynum(int num);
		109	const struct nprotoent nmap_getprotbyname(const char name);
		110
		111	+#define MAX_IPPROTONUM 255
		112	+
		113	#define MAX_IPPROTOSTRLEN 4
		114	#define IPPROTO2STR(p) \
		115	((p)==IPPROTO_TCP ? "tcp" : \
		116	diff --git a/scan_lists.cc b/scan_lists.cc
		117	index f02e279..ebe1357 100644
		118	--- a/scan_lists.cc
		119	+++ b/scan_lists.cc
		120	@@ -165,7 +165,7 @@ void getpts(const char origexpr, struct scan_lists ports) {
		121	ports->udp_count++;
		122	if (porttbl[i] & SCAN_SCTP_PORT)
		123	ports->sctp_count++;
		124	- if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
		125	+ if (porttbl[i] & SCAN_PROTOCOLS && i <= MAX_IPPROTONUM)
		126	ports->prot_count++;
		127	}
		128
		129	@@ -192,7 +192,7 @@ void getpts(const char origexpr, struct scan_lists ports) {
		130	ports->udp_ports[udpi++] = i;
		131	if (porttbl[i] & SCAN_SCTP_PORT)
		132	ports->sctp_ports[sctpi++] = i;
		133	- if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
		134	+ if (porttbl[i] & SCAN_PROTOCOLS && i <= MAX_IPPROTONUM)
		135	ports->prots[proti++] = i;
		136	}
		137
		138	@@ -388,7 +388,7 @@ static void getpts_aux(const char origexpr, int nested, u8 porttbl, int range_
		139	} else if (isdigit((int) (unsigned char) *current_range)) {
		140	rangestart = strtol(current_range, &endptr, 10);
		141	if (range_type & SCAN_PROTOCOLS) {
		142	- if (rangestart < 0 \|\| rangestart > 255)
		143	+ if (rangestart < 0 \|\| rangestart > MAX_IPPROTONUM)
		144	fatal("Protocols specified must be between 0 and 255 inclusive");
		145	} else {
		146	if (rangestart < 0 \|\| rangestart > 65535)
		147	@@ -429,13 +429,13 @@ static void getpts_aux(const char origexpr, int nested, u8 porttbl, int range_
		148	if (!current_range \|\| current_range == ',' \|\| *current_range == ']') {
		149	/* Ended with a -, meaning up until the last possible port */
		150	if (range_type & SCAN_PROTOCOLS)
		151	- rangeend = 255;
		152	+ rangeend = MAX_IPPROTONUM;
		153	else
		154	rangeend = 65535;
		155	} else if (isdigit((int) (unsigned char) *current_range)) {
		156	rangeend = strtol(current_range, &endptr, 10);
		157	if (range_type & SCAN_PROTOCOLS) {
		158	- if (rangeend < 0 \|\| rangeend > 255)
		159	+ if (rangeend < 0 \|\| rangeend > MAX_IPPROTONUM)
		160	fatal("Protocols specified must be between 0 and 255 inclusive");
		161	} else {
		162	if (rangeend < 0 \|\| rangeend > 65535)
		163	--
		164	2.34.1
		165


diff --git a/meta-oe/recipes-security/nmap/nmap_7.95.bb b/meta-oe/recipes-security/nmap/nmap_7.95.bb index 79c28e71f0..a319be4fb0 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.95.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.95.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \
10	file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \	10	file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \
11	file://0001-Include-time.h-header-to-pass-clang-compilation.patch \	11	file://0001-Include-time.h-header-to-pass-clang-compilation.patch \
12	file://0002-Fix-building-with-libc.patch \	12	file://0002-Fix-building-with-libc.patch \
		13	file://0003-Fix-off-by-one-overflow-in-the-IP-protocol-table.patch \
13	"	14	"
14	SRC_URI[sha256sum] = "e14ab530e47b5afd88f1c8a2bac7f89cd8fe6b478e22d255c5b9bddb7a1c5778"	15	SRC_URI[sha256sum] = "e14ab530e47b5afd88f1c8a2bac7f89cd8fe6b478e22d255c5b9bddb7a1c5778"
15	inherit autotools-brokensep pkgconfig python3native	16	inherit autotools-brokensep pkgconfig python3native