Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Unhandled NSE exceptions

From: David Fifield <david () bamsoftware com>
Date: Thu, 1 Nov 2007 15:09:06 -0700
I have been experiencing a segmentation fault with NSE when running the
ripeQuery.nse script. Here's what I see:

        nmap --script=ripeQuery.nse -n -PN -d localhost
        ...
        Initiating SYN Stealth Scan at 14:55
        Scanning 127.0.0.1 [1705 ports]
        Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or (tcp and (src host 127.0.0.1)))
        Discovered open port 22/tcp on 127.0.0.1
        Discovered open port 631/tcp on 127.0.0.1
        Discovered open port 6000/tcp on 127.0.0.1
        Completed SYN Stealth Scan at 14:55, 0.11s elapsed (1705 total ports)
        SCRIPT ENGINE: Initiating script scanning.
        SCRIPT ENGINE: Script scanning .
        SCRIPT ENGINE: Using 
/usr/libexec/nmap/nse/?.so;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so to search for C-modules 
and 
/usr/share/nmap/nselib/?.lua;./?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/lib/lua/5.1/?.lua;/usr/local/lib/lua/5.1/?/init.lua
 for Lua-modules
        SCRIPT ENGINE: Initialized 1 rules
        SCRIPT ENGINE: Matching rules.
        SCRIPT ENGINE: Will run /usr/share/nmap/scripts/ripeQuery.nse against 127.0.0.1
        SCRIPT ENGINE: Running scripts.
        SCRIPT ENGINE: Runlevel: 1.000000
        Initiating SCRIPT ENGINE at 14:55
        Socket troubles: Address family not supported by protocol
        Segmentation fault

I tracked the problem down to the fact that I had IPv6 headers and
libraries without kernel support for IPv6. The call to getaddrinfo
caused by socket:connect in the script was returning an IPv6 address,
and when that was passed to nsock_connect_internal it displayed the
"Socket troubles" error. The segmentation fault is caused later when a
socket descriptor of -1 (returned by connect) is used at line 1059 in
nsock_core.c.

The error went away when I installed kernel IPv6 support, but i can
reproduce it by unloading and blacklisting the ipv6 module.

socket:connect is throwing an exception when this occurs. If I modify
the script to catch the exception it correctly exits without a
segmentation fault.

But the question is, shouldn't errors in things like socket:connect exit
the script if there's no exception handler? Is that possible?

(Another thing is that there should be an internal check for the -1
socket descriptor, but that should be easy to fix.)

David

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: