Re: More nsock socket_count_write_dec assert() failures

[David Fifield <david () bamsoftware com>]

On Sat, Mar 06, 2010 at 03:53:22AM +0000, Brandon Enright wrote:
> On Wed, 3 Mar 2010 12:44:04 -0700
> David Fifield <david () bamsoftware com> wrote:
> [...]
> > > It looks like #4 can only execute if iod->ssl is true, and #5 can
> > > only execute if iod->ssl is not true.
> >
> > Please try the attached patch. The counts may have been being
> > decremented incorrectly when an SSL write failed with an
> > SSL_ERROR_WANT_READ. The read count would have been incremented but
> > after the write succeeded the write count would have been decremented.
>
>
> I applied the patch earlier today and started up the scans.  I just had
> one crash in the same way:
>
> #0  0x00007f9a19a09205 in raise () from /lib/libc.so.6
> (gdb) bt
> #0  0x00007f9a19a09205 in raise () from /lib/libc.so.6
> #1  0x00007f9a19a0a723 in abort () from /lib/libc.so.6
> #2  0x00007f9a19a02229 in __assert_fail () from /lib/libc.so.6
> #3  0x0000000000483a4e in socket_count_write_dec (iod=<value optimized out>, 
>     ms=<value optimized out>) at nsock_core.c:199
> #4  0x000000000048426e in handle_write_result (ms=0x16b96f0, nse=0x2603b70, 
>     status=<value optimized out>) at nsock_core.c:537
> #5  0x00000000004859cc in nsock_loop (nsp=0x16b96f0, msec_timeout=50)
>     at nsock_core.c:950
> #6  0x0000000000476b71 in l_nsock_loop (L=0x16de520) at nse_nsock.cc:551
>
>
> I figure there are so many ways to increment and decrement the counts
> that tracking this down will be really hard.  If I can find a host that
> crashes every time I'll narrow down to just the port and script and see
> if I can produce useful narrow output of what is going on.

I worked off-list with Brandon on this problem, and I think we have it
solved. It's committed as r16961.

The problem was that handle_write_results always assumed that it was
being called as the result of a socket becoming writable. If a call to
SSL_write resulted in the pseudo-error SSL_ERROR_WANT_READ, it would
(correctly) decrement the write count and increment the write count.
However, when handle_write_result was called agains as a result of the
socket becoming readable, handle_write_result would decrement the write
count again in the event of the write finishing or another
SSL_ERROR_WANT_READ.

I added a new function socket_count_dec_ssl_desire so that
handle_write_result and similar functions decrement either the read or
write count depending on what was last being selected on.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/