Re: nmap 3.93 dumps core when exclude cidr netmask is less than 32

[Adam <nmapuser () globalmegahost com>]

On Thu, 10 Nov 2005 nmapuser () globalmegahost com wrote:

[snip]
> % nmap -n -sL --exclude 10.1.1.3/30 10.1.1.0/29
>
> Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-10 15:10 MST
> Assertion failed: (targets_type == IPV6_ADDRESS), function get_next_host, file TargetGroup.cc, line 429.
> Abort (core dumped)
[snip]

I rebuilt nmap with `-g3' so I could use debugging tools like gdb and
valgrind in hopes of finding where I should start in making a patch so
that networks expressed in cidr notion could properly be excluded.  While
I am still operating on the assumption that I may be using nmap's
--exclude incorrectly, I am also open to the possibility that nmap has a
bug and that fixing it may yield the result I desire.  In replaying the
above scenario with gdb I see the following output.

% ./nmap -n -sL --exclude 10.1.1.0/30 10.1.1.10/29

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-15 14:47 MST
Assertion failed: (targets_type == IPV6_ADDRESS), function get_next_host, file TargetGroup.cc, line 429.
Abort (core dumped)
% gdb ./nmap ./nmap.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `nmap'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/local/lib/libpcre.so.0...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/lib/libpcap.so.3...done.
Loaded symbols for /usr/lib/libpcap.so.3
Reading symbols from /usr/lib/libssl.so.3...done.
Loaded symbols for /usr/lib/libssl.so.3
Reading symbols from /lib/libcrypto.so.3...done.
Loaded symbols for /lib/libcrypto.so.3
Reading symbols from /usr/lib/libstdc++.so.4...done.
Loaded symbols for /usr/lib/libstdc++.so.4
Reading symbols from /lib/libm.so.3...done.
Loaded symbols for /lib/libm.so.3
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x2836837b in kill () from /lib/libc.so.5
(gdb) bt
#0  0x2836837b in kill () from /lib/libc.so.5
#1  0x2835d422 in raise () from /lib/libc.so.5
#2  0x283cfc1b in abort () from /lib/libc.so.5
#3  0x283aa9ff in __assert () from /lib/libc.so.5
#4  0x0807413a in TargetGroup::get_next_host (this=0x80aa878, ss=0xbfbfaea0, sslen=0xbfbfae9c)
    at TargetGroup.cc:429
#5  0x08054ca7 in hostInExclude (checksock=0xbfbfb450, checksocklen=16, exclude_group=0x80aa000)
    at targets.cc:1760
#6  0x080512bb in nexthost (hs=0x80a7800, exclude_group=0x80aa000, ports=0x80a1020, pingtype=0x809fa9c)
    at targets.cc:318
#7  0x0804e656 in nmap_main (argc=6, argv=0xbfbfe8b8) at nmap.cc:1056
#8  0x0804b382 in main (argc=6, argv=0xbfbfe8b8, envp=0xbfbfe8d4) at main.cc:244
(gdb) q

And now for valgrind's point of view.

% valgrind  ./nmap -n -sL --exclude 10.1.1.0/30 10.1.1.0/29
==57311== Memcheck, a memory error detector for x86-linux.
==57311== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward.
==57311== Using valgrind-2.1.0, a program supervision framework for x86-linux.
==57311== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward.
==57311== Estimated CPU clock rate is 1511 MHz
==57311== For more details, rerun with: -v
==57311==

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-11-15 14:51 MST
==57311== Invalid read of size 1
==57311==    at 0x8054CDC: hostInExclude(sockaddr*, unsigned, TargetGroup*) (TargetGroup.h:134)
==57311==    by 0x80512BA: nexthost(HostGroupState*, TargetGroup*, scan_lists*, int*) (targets.cc:318)
==57311==    by 0x804E655: nmap_main(int, char**) (nmap.cc:1056)
==57311==    by 0x804B381: main (main.cc:244)
==57311==  Address 0x3C3B983C is 0 bytes after a block of size 2168 alloc'd
==57311==    at 0x3C03451B: operator new[](unsigned) (in /usr/local/lib/valgrind/vgpreload_memcheck.so)
==57311==    by 0x805485A: load_exclude(__sFILE*, char*) (targets.cc:1638)
==57311==    by 0x804E4E6: nmap_main(int, char**) (nmap.cc:1029)
==57311==    by 0x804B381: main (main.cc:244)
Host 10.1.1.4 not scanned
Host 10.1.1.5 not scanned
Host 10.1.1.6 not scanned
Host 10.1.1.7 not scanned
Nmap finished: 4 IP addresses (0 hosts up) scanned in 0.622 seconds
==57311==
==57311== ERROR SUMMARY: 4 errors from 1 contexts (suppressed: 0 from 0)
==57311== malloc/free: in use at exit: 122148 bytes in 17 blocks.
==57311== malloc/free: 162 allocs, 145 frees, 291098 bytes allocated.
==57311== For a detailed leak analysis,  rerun with: --leak-check=yes
==57311== For counts of detected errors, rerun with: -v

This is my first time using valgrind, but valgrind is able to get nmap to
produce the data I was expecting, based on the arguments I provided to
nmap.  So maybe nmap can handle cidr notation in the exclude option(s).
I wanted to add to the thread to let others know that I am looking into
what I perceive as a bug in nmap.  I will try to make a patch but I am not
familiar with the nmap code and I have never made a patch before.  I hope
`diff -u' format is ok.  If anyone reading this sees an obvious fix,
please feel free to help me out.

Thank you,

Adam


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev