Nmap Development mailing list archives

Re: Nmap crashing

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 4 Jan 2016 10:55:52 -0600

Gisle,

Thanks for the analysis. I applied a change in r35551 that uses a different
OpenSSL error reporting function that does not return NULL
(ERR_error_string). This has the added benefit of producing a more verbose
error string in this very unusual case.

You say that "a proper implementation" should handle a NULL pointer, but as
far as I can tell, POSIX just refers back to the ISO C standard, which does
not define a behavior in this case. I know that glibc prints "(null)" in
that case, and that we've had to work around this in other places because
e.g. libc on Solaris segfaults in this case. I would welcome an
implementation change to append_string that handles the NULL pointer by
either producing a 0-length string or the "(null)" string instead.

My last remaining question is: how is this being triggered in the script
pre-scanning phase? I would like to know what script is making an SSL
connection and then producing some obscure error when trying to do SSL_read.

Dan

On Mon, Jan 4, 2016 at 10:11 AM, Gisle Vanem <gvanem () yahoo no> wrote:

Daniel Miller wrote:

If you can provide the full output of the following command up until it

crashes, that would be ideal:

nmap -Pn -d2 --script-trace --script "discovery and safe" -sn

If this does not actually crash for you, change the script invocation to

"safe" or replace -sn with scanme.nmap.org

<http://scanme.nmap.org> as necessary, but I think this will be

sufficient to reproduce.

I can confirm the following crashes (on Win-10):
  nmap -Pn -d2 --script-trace --script "safe" scanme.nmap.org

This seems to be due to OpenSSL's ERR_reason_error_string()
(in __nsock_log_internal()) returns a NULL which Nmap's append_string()
doesn't handle. The call-stack:
  nmap!append_string+0x20
  nmap!xyzprintf+0x223
  nmap!vasnprintf+0x4f
  nmap!vasprintf+0x13
  nmap!__nsock_log_internal+0x47
  nmap!do_actual_read+0x309

It's an easy fix to make append_string() handle a
NULL 'arg' which a proper implementation of vasnprintf()
on Posix should handle. But since both the me and the OP are on
Windows, it crashes.

--gv
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Nmap crashing Dan Baxter (Jan 04)
- Re: Nmap crashing Daniel Miller (Jan 04)
  - Message not available
    - Re: Nmap crashing Daniel Miller (Jan 04)
    - Re: Nmap crashing Daniel Miller (Jan 04)
    - Re: Nmap crashing Dan Baxter (Jan 05)
    - Re: Nmap crashing Dan Baxter (Jan 11)
    - Re: Nmap crashing Daniel Miller (Jan 12)
  - Re: Nmap crashing Gisle Vanem (Jan 04)
    - Re: Nmap crashing Daniel Miller (Jan 04)