Re: Unhandled NSE exceptions

[David Fifield <david () bamsoftware com>]

On Tue, Jun 03, 2008 at 06:04:25PM -0600, Patrick Donnelly wrote:
> On Tue, Jun 3, 2008 at 10:48 AM, David Fifield <david () bamsoftware com> wrote:
> > Is there a way to make NSE exceptions work more like exceptions in other
> > languages? That is, let you catch them if you want, otherwise quit the
> > script (not the whole Nmap process) safely.
> >
> > David
>
> If nsock signaled an error which is caught (via pcall), then yes.
> Instead the style chosen was similar to assert
> (http://www.lua.org/manual/5.1/manual.html#pdf-assert). The problem is
> that if the script writer choses to ignore the return values of the
> socket methods, the script may go on to do something undesired. Have
> you been able to figure out which socket method is causing the
> segfault?

It's not a segfault, it's an assertion failure. A connect call fails and
returns a socket descriptor of -1. The assertion failure comes later
when the script tries to use the bogus socket.

This line in ripeQuery.nse tries to create a socket:

        socket:connect("whois.ripe.net", 43)

The failing call to socket is here:

#0  nsock_connect_internal (ms=Variable "ms" is not available.
) at nsock_connect.c:82
#1  0x081b16b7 in nsock_connect_tcp (nsp=0x82a7fd8, ms_iod=0x82afde0,
    handler=0x8196162 <l_nsock_connect_handler(void*, void*, void*)>,
    timeout_msecs=30000, userdata=0x82af180, saddr=0x82afc98, sslen=28,
    port=43) at nsock_connect.c:152
#2  0x08196707 in l_nsock_connect (L=0x82af180) at nse_nsock.cc:312
#3  0x08198dfa in l_nsock_connect_queued (L=0x82af180) at nse_nsock.cc:268
#4  0x081d9650 in luaD_precall ()
#5  0x081e21e6 in luaV_execute ()
#6  0x081d9207 in luaD_rawrunprotected ()
#7  0x081d93c0 in lua_resume ()
#8  0x08187b61 in process_mainloop (L=0x82a2490) at nse_main.cc:369
#9  0x08189537 in script_scan (targets=@0xbf828e40) at nse_main.cc:289
#10 0x08099a12 in nmap_main (argc=6, argv=0xbf82c0a4) at nmap.cc:1797
#11 0x08085c9e in main (argc=6, argv=0xbf82c0a4) at main.cc:224

(socket returns -1.) Because the connection fails, this error message is
printed: Socket troubles: Address family not supported by protocol

But again, that's not the real problem. That's because my system was
misconfigured. socket:connect correctly returns {nil, "ERROR"}. The real
problem is that the script continues running after the connection fails.

The line

        socket:send(host.ip .. "\n")

hits this assertion

      assert(nse->iod->sd >= 0);

here:

#0  nsp_add_event (nsp=0x82a8038, nse=0x82b3800) at nsock_core.c:1060
#1  0x081b4d45 in nsock_write (ms_pool=0x82a8038, ms_iod=0x82b3748,
    handler=0x81933b6 <l_nsock_send_handler(void*, void*, void*)>,
    timeout_msecs=30000, userdata=0x82b2be0, data=0x82b38b0
"127.0.0.1\n",
    datalen=10) at nsock_write.c:99
#2  0x08198a1e in l_nsock_send (L=0x82b2be0) at nse_nsock.cc:379
#3  0x081d9650 in luaD_precall ()
#4  0x081e21e6 in luaV_execute ()
#5  0x081d9207 in luaD_rawrunprotected ()
#6  0x081d93c0 in lua_resume ()
#7  0x08187b61 in process_mainloop (L=0x82a24f0) at nse_main.cc:369
#8  0x08189537 in script_scan (targets=@0xbf81d610) at nse_main.cc:289
#9  0x08099a12 in nmap_main (argc=7, argv=0xbf820874) at nmap.cc:1797
#10 0x08085c9e in main (argc=7, argv=0xbf820874) at main.cc:224

I think the script should just die if socket:connect fails, and let
other scripts run. After all, there are a lot of ways a socket
connection can fail.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org