Nmap Development mailing list archives
Re: Segfault with Nmap 4.85BETA8
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 24 Apr 2009 07:13:57 -0600
Hello Lionel, On Fri, Apr 24, 2009 at 2:44 AM, Lionel Cons <lionel.cons () cern ch> wrote:
I'm sometimes getting a segfault while running Nmap 4.85BETA8. Here is a backtrace: Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-23 16:39 CEST Program received signal SIGSEGV, Segmentation fault. 0x080d7dae in lua_pushnil () (gdb) bt #0 0x080d7dae in lua_pushnil () #1 0x080b257e in ncap_restore_lua () #2 0x080da35b in lua_getinfo () #3 0x080e2b37 in lua_close () #4 0x080d9c58 in lua_getinfo () #5 0x080da850 in lua_resume () #6 0x080e85c6 in luaL_openlibs () #7 0x080e86a8 in luaL_openlibs () #8 0x080da35b in lua_getinfo () #9 0x080e2b37 in lua_close () #10 0x080da66f in lua_getinfo () #11 0x080d85cf in lua_call () #12 0x080d9c58 in lua_getinfo () #13 0x080da936 in lua_yield () #14 0x080d8624 in lua_pcall () #15 0x080af9fb in ScriptResult::set_output () #16 0x080da35b in lua_getinfo () #17 0x080da634 in lua_getinfo () #18 0x080d86c8 in lua_pcall () #19 0x080d9c58 in lua_getinfo () #20 0x080da936 in lua_yield () #21 0x080d870d in lua_cpcall () #22 0x080af411 in script_scan () #23 0x08061ec7 in nmap_main () #24 0x0805d518 in main ()
This is a very bizarre backtrace with many functions that do not call each other (lua_getinfo -> ScriptResult::set_output()). I suspect the stack has been corrupted somehow. On a different note, the ncap_restore_lua procedure does obtain the lua_State * through the yield structure inside the nsock userdata. The SEGFAULT would occur if this nsock userdata or thread had been collected.
The bug seems to be triggered by an NSE script of mine (see attached). The script may be buggy but IMHO it should not make Nmap segfault. Also, this script worked fine in previous versions of Nmap, up to SVN revision 12857 at least. Finally, the problem is tricky. I can reproduce it when scanning many ports on some sets of hosts. Changing the ports or the hosts scanned sometimes makes the problem disappear, maybe a timing or race condition problem? Any help to improve the NSE script and/or make Nmap more robust would be welcome.
I'm not sure this is related to any changes made to NSE since the noted revision. I will investigate this and post my findings. Thanks for the report, -- -Patrick Donnelly "One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say." -Will Durant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Segfault with Nmap 4.85BETA8 Lionel Cons (Apr 24)
- Re: Segfault with Nmap 4.85BETA8 Patrick Donnelly (Apr 24)
- Re: Segfault with Nmap 4.85BETA8 Patrick Donnelly (Apr 25)
- Re: Segfault with Nmap 4.85BETA8 Lionel Cons (Apr 27)
- Re: Segfault with Nmap 4.85BETA8 Patrick Donnelly (Apr 25)
- Re: Segfault with Nmap 4.85BETA8 Patrick Donnelly (Apr 24)