Nmap Development mailing list archives
Bug parsing TCP packet
From: Gustavo Moreira <gmoreira () coresecurity com>
Date: Mon, 3 Jun 2013 18:42:48 -0300
Hi guys, I am working with nmap IPv6 OS fingerprinting code and I found that when a TCP packet is padded to 32 bytes, there is a bug parsing its TCP Options. It's because the libnetutil TCPHeader::getOption function doesn't stop to iterate when a "End Of Options" option is found, so it read the last padded zero as one more TCP option. In addition, it causes that FPEngine::vectorize add more values to the "features" array, and then it affects the final calculations when liblinear::predict_values is called. I attached a .pcap so you can reproduce the bug. Regards, Gustavo Moreira Core Security
Attachment:
gcm-bad-tcpoptions.pcap
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Bug parsing TCP packet Gustavo Moreira (Jun 03)
- Re: Bug parsing TCP packet Henri Doreau (Jun 16)
- Re: Bug parsing TCP packet David Fifield (Jun 17)
- Re: Bug parsing TCP packet Henri Doreau (Jun 17)
- Re: Bug parsing TCP packet Gustavo Moreira (Jun 20)
- Re: Bug parsing TCP packet David Fifield (Jun 17)
- Re: Bug parsing TCP packet Henri Doreau (Jun 16)