Nmap Development mailing list archives
Assertion failure in traceroute output
From: David Fifield <david () bamsoftware com>
Date: Wed, 9 May 2007 00:59:19 -0600
Hi all, I'm David Fifield, one of the Summer of Code participants. I've been exploring Nmap for past few weeks, and I've found a way to make an assertion fail in Traceroute::outputTarget. To put it briefly, when I try to trace the route to my Internet gateway (one hop away) using its Internet-facing IP address, I get this output: # nmap -v -sP --traceroute 64.81.99.73 Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-08 11:26 MDT Initiating Parallel DNS resolution of 1 host. at 11:26 Completed Parallel DNS resolution of 1 host. at 11:26, 0.00s elapsed Initiating Traceroute at 11:26 64.81.99.73: guessing hop distance at 49 Completed Traceroute at 11:26, 0.01s elapsed Host goomba.bamsoftware.com (64.81.99.73) appears to be up. nmap: NmapOutputTable.cc:172: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `cell->str == __null' failed. Aborted The assertion fails even with other scan types, such as -sS, and when run in debugging mode. I have also been able to reproduce this on other hosts across the Internet, for example speakeasy.net, though most hosts I've tried work fine. I'm running the trace from a 192.168.0.0/24 address. If I run the trace against the gateway's LAN address 192.168.0.1, I get no traceroute output because traceroute skips directly connected hosts. The assertion is in NmapOutputTable::addItem, at line 172 in NmapOutputTable.cc. It checks to make sure a cell is empty before adding an item into it. I found that what was already there was the RTT to the gateway (a string like "0.06") and what was being added to the same cell was the string "... 50". I think the key is that the hop distance is guessed to be 49. Ordinarily I would expect this to send 49 probes (TTLs 49 to 1), but the traceroute sends one probe with a TTL of 255 at the beginning, making the total 50. I've attached a file with --packet-trace output. At line 730 of traceroute.cc, there is a check of the number of probes sent against MAX_TTL, which is 50. When the number of probes reaches 50, the state G_TTL is set on the TraceGroup. Later, at line 1049, outputTarget checks for the state G_TTL, and if it is set, it puts the string "... 50" in the RTT column of the output table, which is meant to indicate that all probes up to a TTL of 50 have timed out. When it does this, it tries to add the string into a cell that already has an RTT in it, which causes the assertion to fail. I don't understand the traceroute code well enough yet to recommend a fix. I know that changing if (tg->TraceProbes.size () >= MAX_TTL) tg->setState (G_TTL); to if (tg->TraceProbes.size () > MAX_TTL) tg->setState (G_TTL); in traceroute.cc makes the problem go away. But it seems that rather than testing the number of probes sent, the G_TTL state should be set only when a probe with a TTL of MAX_TTL is not replied to. David Fifield
Attachment:
traceroute-packet-trace.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Assertion failure in traceroute output David Fifield (May 08)
- Re: Assertion failure in traceroute output Eddie Bell (May 09)