Nmap Development mailing list archives

Nsock SSL problem (r29134 explanations)

From: Henri Doreau <henri.doreau () gmail com>
Date: Fri, 6 Jul 2012 15:51:02 +0200

Hello,

yesterday I fixed a bug in nsock, which was kind of flying under the
radar: only Daniel Miller reported it[1], and I personally never
managed to reproduce this stalled scan symptom he saw despite days of
debug. Still, this problem probably affects many users, in a way or
another. I sent a quick description to the list yesterday[2] after
committing r29134 but here are the details again:


* Problem

Internal reconnection attempts can occur under certain conditions
described below:
nsock_core.c
"""
465   /* SSLv3-only and TLSv1-only servers can't be connected to when the
466    * SSL_OP_NO_SSLv2 option is not set, which is the case when the pool
467    * was initialized with nsp_ssl_init_max_speed. Try reconnecting with
468    * SSL_OP_NO_SSLv2. Never downgrade a NO_SSLv2 connection to one that
469    * might use SSLv2. */
[...]
472   close(iod->sd);
473   nsock_connect_internal(ms, nse, [...]);
"""

The problem was that the close() statement removes the FD from the
epoll set, and that the new one (from nsock_connect_internal) wasn't
added instead. Nsock therefore lost track of the events associated to
this IOD.


* Fix
I committed a first fix to make epoll_iod_modify() calls epoll_ctl() a
second time, with EPOLL_CTL_ADD, in case the modification attempt
failed with ENOENT (r29134).


I would propose to replace this fix by the patch attached, which is
much nicer IMO, and has the advantage of not being engine-specific.
This new patch simply unregisters the IOD before the close() and
nsock_connect_internal() statements and registers the IOD again (with
the new FD) afterwards.

I have also added a couple statements to engine_select.c to make it
clean all FD sets on IOD unregistration. For some reason, the X set
wasn't touched. Unless I miss something this was a mistake.


Regards.


[1] http://seclists.org/nmap-dev/2012/q2/649
[2] http://seclists.org/nmap-dev/2012/q3/47

-- 
Henri

Attachment: nsock_ssl_fix.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Nsock SSL problem (r29134 explanations) Henri Doreau (Jul 06)
- Re: Nsock SSL problem (r29134 explanations) Daniel Miller (Jul 06)
  - Re: Nsock SSL problem (r29134 explanations) Daniel Miller (Jul 06)
    - Re: Nsock SSL problem (r29134 explanations) Henri Doreau (Jul 06)
    - Re: Nsock SSL problem (r29134 explanations) Henri Doreau (Jul 08)
    - Re: Nsock SSL problem (r29134 explanations) Daniel Miller (Jul 09)
    - Re: Nsock SSL problem (r29134 explanations) Henri Doreau (Jul 09)
    - Re: Nsock SSL problem (r29134 explanations) David Fifield (Jul 09)