nmap crashes 2.6.9 kernel ?

["A.R." <r00t () northernfortress net>]

Hello list,

I don't know if this is a known issue already, but I haven't found any
documentation about it.

Issuing a 'nmap -sT -p 1-50000 127.0.0.1' for a few times on a 2.6.9
Linux kernel can cause the machine to freeze (nmap 3.75 on a 2.6.9
Gentoo box).

The problem seems to deal with the tcp_transmit_skb() function (in the
net/ipv4/tcp_output.c file), which introduces in the latest kernel the
following check:

BUG_ON(!tcp_skb_pcount(skb));

For what I understand, the tcp_skb_pcount() function counts how many TCP
packets are needed to send the buffered data. But sometimes, during a
nmap scan, this function returns zero, and the BUG_ON macro causes the
kernel to panic, as we see in the bug.h file:

#define BUG() do { \ 
        printk("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \ 
        panic("BUG!"); \ 
} while (0) 
... 
#define BUG_ON(condition) do { if (unlikely((condition)!=0)) BUG(); }
while(0)

<disclaimer>
I am not a kernel guru, so I might have misinterpreted the issue.
</disclaimer> ;)

Regards

Alberto Revelli
Northern Fortress, Inc.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org