Nmap Development mailing list archives
Re: Nmap crashing
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 4 Jan 2016 10:55:52 -0600
Gisle, Thanks for the analysis. I applied a change in r35551 that uses a different OpenSSL error reporting function that does not return NULL (ERR_error_string). This has the added benefit of producing a more verbose error string in this very unusual case. You say that "a proper implementation" should handle a NULL pointer, but as far as I can tell, POSIX just refers back to the ISO C standard, which does not define a behavior in this case. I know that glibc prints "(null)" in that case, and that we've had to work around this in other places because e.g. libc on Solaris segfaults in this case. I would welcome an implementation change to append_string that handles the NULL pointer by either producing a 0-length string or the "(null)" string instead. My last remaining question is: how is this being triggered in the script pre-scanning phase? I would like to know what script is making an SSL connection and then producing some obscure error when trying to do SSL_read. Dan On Mon, Jan 4, 2016 at 10:11 AM, Gisle Vanem <gvanem () yahoo no> wrote:
Daniel Miller wrote:If you can provide the full output of the following command up until itcrashes, that would be ideal:nmap -Pn -d2 --script-trace --script "discovery and safe" -sn If this does not actually crash for you, change the script invocation to"safe" or replace -sn with scanme.nmap.org<http://scanme.nmap.org> as necessary, but I think this will besufficient to reproduce. I can confirm the following crashes (on Win-10): nmap -Pn -d2 --script-trace --script "safe" scanme.nmap.org This seems to be due to OpenSSL's ERR_reason_error_string() (in __nsock_log_internal()) returns a NULL which Nmap's append_string() doesn't handle. The call-stack: nmap!append_string+0x20 nmap!xyzprintf+0x223 nmap!vasnprintf+0x4f nmap!vasprintf+0x13 nmap!__nsock_log_internal+0x47 nmap!do_actual_read+0x309 It's an easy fix to make append_string() handle a NULL 'arg' which a proper implementation of vasnprintf() on Posix should handle. But since both the me and the OP are on Windows, it crashes. --gv _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap crashing Dan Baxter (Jan 04)
- Re: Nmap crashing Daniel Miller (Jan 04)
- Message not available
- Re: Nmap crashing Daniel Miller (Jan 04)
- Re: Nmap crashing Daniel Miller (Jan 04)
- Re: Nmap crashing Dan Baxter (Jan 05)
- Re: Nmap crashing Dan Baxter (Jan 11)
- Re: Nmap crashing Daniel Miller (Jan 12)
- Message not available
- Re: Nmap crashing Daniel Miller (Jan 04)
- Re: Nmap crashing Gisle Vanem (Jan 04)
- Re: Nmap crashing Daniel Miller (Jan 04)