OS fingerprinting bug

[William Robertson <wkr () cs ucsb edu>]

Apologies if this is a repeat, but I don't think my previous mail made it
to the list.

Anyway, I believe I've found a bug in the OS fingerprinting routine in
nmap.  Specifically, if you're scanning a machine which responds to all of
the tests (T1-T7 and PU), nmap will drop a response (usually the ICMP port
unreachable datagram). This happens because testsleft is set to 7 if an
open port was found, and the routine breaks out of the receive loop when
testsleft == 0.  However, since there are 8 tests, if a machine responds to
all of them, the last response received is picked up in the TCP sequencing
receive loop instead.

The attached patch is against nmap 2.54BETA32.

-- 
| William Robertson | "10000101110110111000010110000110" -- /dev/random |
|   wkr () cs ucsb edu | 2F56 8B0E E97E 3136 C4B6 6B89 4088 75B8 90A3 BED4 |

Attachment: nmap-2.54BETA32-testsleft.diff
Description:

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).