Bug found in OpenBSD nmap

["D." <dugely () yahoo com>]

Hello nmap-dev,

I recently switched my RedHat Linux workstation over
to OpenBSD. I figure saftey is a good thing, and I'm
finding the OpeBSD X windows interface actually quite
comfortable...

Anyways, next time you're on an OpenBSD 2.9 (maybe
other versions too) try doing a -sO scan (ipprotocol
scan). It gives you this message:

/home/doug@orion$ nmap -sO -v -v -v -d localhost

Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Packet capture filter: (icmp and dst host 127.0.0.1)
or (tcp and dst host 127.0.0.1 and ( dst port 55239 or
dst port 55240 or dst port 55241 or dst port 55242 or
dst port 55243))
ICMP type 8 code 0 packet is only 28 bytes

We got a ping packet back from 127.0.0.1: id = 49375
seq = 0 checksum = 16160
Hostupdate called for machine 127.0.0.1 state
UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes
time: 26814)
Finished block: srtt: 27012 rttvar: 27012 timeout:
300000 block_tries: 1 up_this_block: 1
down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Host localhost (127.0.0.1) appears to be up ... good.
Starting super_scan
Packet capture filter: (icmp and dst host 127.0.0.1)
or (tcp and src host 127.0.0.1 and dst host 127.0.0.1
and ( dst port 55219 or dst port 55220))
Initiating IPProto Scan against localhost (127.0.0.1)
sendto in send_ip_raw: sendto(3, packet, 20, 0,
127.0.0.1, 16) => Invalid argument
Sleeping 15 seconds then retrying
sendto in send_ip_raw: sendto(3, packet, 20, 0,
127.0.0.1, 16) => Invalid argument
Sleeping 60 seconds then retrying
^Ccaught SIGINT signal, cleaning up
/home/doug@orion$ uname -a
OpenBSD orion 2.9 DOUGS#0 i386




Anyways, I narrowed the problem down to the use of the
BSDUFIX macro, which calls ntohs for one of the
arguments in sendto. I simply removed the macro from
that particular argument, and it now works seemingly
flawlessly...


Here's my patch of what I did (I imagine this could
break nmap on other platforms):

http://hardcoresoftware.cjb.net/nmap/tcpip.c.patch


But the thing is, I was digging around in nmap.h, and
I saw this:

#ifndef BSDFIX
#if FREEBSD || BSDI || NETBSD
#define BSDFIX(x) x
#define BSDUFIX(x) x
#else
#define BSDFIX(x) htons(x)
#define BSDUFIX(x) ntohs(x)
#endif
#endif /* BSDFIX */


There's lots of other BSDUFIX macros being used in the
OpenBSD source, and they all seem to work but that
one... I'm wondering if " || OPENBSD" should be
appended onto the second line of that code snippet,
and if not, why? Why the whole need for this? Does BSD
do this differently than other unixs?

Anyways, maybe somebody who understands the code
better than I could make the suggestion. All I know is
that this fixed my problem, and if that helps anyone
else out, great!


Doug Hoyte

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).