Re: More nsock socket_count_write_dec assert() failures

[David Fifield <david () bamsoftware com>]

On Mon, Mar 01, 2010 at 12:39:44PM -0700, David Fifield wrote:
> On Sat, Feb 27, 2010 at 02:40:02AM +0000, Brandon Enright wrote:
> > > It would help if you recompile with debugging and without
> > > optimization. It looks like calls are getting inlined and it's hard
> > > to tell where under nsock_loop the function is being called.
> > >
> > > Can you tell if this particular host is being connected to with SSL?
> >
> > Okay here is a full backtrace without optimization or stripping:
> >
> > (gdb) bt
> > #0  0x00007fd90545a205 in raise () from /lib/libc.so.6
> > #1  0x00007fd90545b723 in abort () from /lib/libc.so.6
> > #2  0x00007fd905453229 in __assert_fail () from /lib/libc.so.6
> > #3  0x00000000005b543e in socket_count_write_dec (iod=<value optimized out>, 
> >     ms=<value optimized out>) at nsock_core.c:199
>
> This is weird:
>
> > #4  0x00000000005b5b4e in handle_write_result (ms=0x196b150, nse=0x248eb80, 
> >     status=<value optimized out>) at nsock_core.c:536
> > #5  0x00000000005b727c in nsock_loop (nsp=0x196b150, msec_timeout=50)
> >     at nsock_core.c:937
>
> It doesn't look to me like these two lines can both execute. The first
> one (#4, line 536) is
>
>     531       if (iod->ssl) {
>     532 #if HAVE_OPENSSL
>     533         err = SSL_get_error(iod->ssl, res);
>     534         if (err == SSL_ERROR_WANT_READ) {
>     535           nse->sslinfo.ssl_desire = err;
>     536           socket_count_write_dec(iod, ms);
>     537           socket_count_read_inc(iod, ms);
>     538         } else if (err == SSL_ERROR_WANT_WRITE) {
>     539           nse->sslinfo.ssl_desire = err;
>     540         } else {
>     541           /* Unexpected error */
>     542           nse->event_done = 1;
>     543           nse->status = NSE_STATUS_ERROR;
>     544           nse->errnum = EIO;
>     545         }
>     546 #endif
>     547       } else {
>
> The second one (#5, line 937) is
>
>     928 #if HAVE_OPENSSL
>     929             desire_r = nse->sslinfo.ssl_desire == SSL_ERROR_WANT_READ;
>     930             desire_w = nse->sslinfo.ssl_desire == SSL_ERROR_WANT_WRITE;
>     931             if (nse->iod->ssl && ((desire_r && match_r) ||
>     932                                   (desire_w && match_w)))
>     933               handle_write_result(nsp, nse, NSE_STATUS_SUCCESS);
>     934             else
>     935 #endif
>     936             if (!nse->iod->ssl && match_w)
>     937               handle_write_result(nsp, nse, NSE_STATUS_SUCCESS);
>
> It looks like #4 can only execute if iod->ssl is true, and #5 can only
> execute if iod->ssl is not true.

Please try the attached patch. The counts may have been being
decremented incorrectly when an SSL write failed with an
SSL_ERROR_WANT_READ. The read count would have been incremented but
after the write succeeded the write count would have been decremented.

David Fifield

Attachment: nsock-dec.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/