Nmap Development mailing list archives
Re: Assertion failure in traceroute output
From: "Eddie Bell" <ejlbell () gmail com>
Date: Wed, 9 May 2007 17:38:05 +0100
Hi david. Great bug report, very detailed. I think the problem is that there are really two G_TTL states. The first when we get excessive timeouts and ...50 is printed. The second where we have traced 50 hops successfully and are just giving up because it could be an IDS messing with nmap. One state should be set in the retransmission function that judges if packets have completely timed-out and the second should be set in the probe sending function. I have started a patch and should get it posted in a day or so thanks - eddie On 09/05/07, David Fifield <david () bamsoftware com> wrote:
Hi all,
I'm David Fifield, one of the Summer of Code participants. I've been
exploring Nmap for past few weeks, and I've found a way to make an
assertion fail in Traceroute::outputTarget.
To put it briefly, when I try to trace the route to my Internet gateway
(one hop away) using its Internet-facing IP address, I get this output:
# nmap -v -sP --traceroute 64.81.99.73
Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-08 11:26 MDT
Initiating Parallel DNS resolution of 1 host. at 11:26
Completed Parallel DNS resolution of 1 host. at 11:26, 0.00s elapsed
Initiating Traceroute at 11:26
64.81.99.73: guessing hop distance at 49
Completed Traceroute at 11:26, 0.01s elapsed
Host goomba.bamsoftware.com (64.81.99.73) appears to be up.
nmap: NmapOutputTable.cc:172: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*,
int): Assertion `cell->str == __null' failed.
Aborted
The assertion fails even with other scan types, such as -sS, and when
run in debugging mode. I have also been able to reproduce this on other
hosts across the Internet, for example speakeasy.net, though most hosts
I've tried work fine. I'm running the trace from a 192.168.0.0/24
address. If I run the trace against the gateway's LAN address
192.168.0.1, I get no traceroute output because traceroute skips
directly connected hosts.
The assertion is in NmapOutputTable::addItem, at line 172 in
NmapOutputTable.cc. It checks to make sure a cell is empty before adding
an item into it. I found that what was already there was the RTT to the
gateway (a string like "0.06") and what was being added to the same cell
was the string "... 50".
I think the key is that the hop distance is guessed to be 49. Ordinarily
I would expect this to send 49 probes (TTLs 49 to 1), but the traceroute
sends one probe with a TTL of 255 at the beginning, making the total 50.
I've attached a file with --packet-trace output.
At line 730 of traceroute.cc, there is a check of the number of probes
sent against MAX_TTL, which is 50. When the number of probes reaches 50,
the state G_TTL is set on the TraceGroup. Later, at line 1049,
outputTarget checks for the state G_TTL, and if it is set, it puts the
string "... 50" in the RTT column of the output table, which is meant to
indicate that all probes up to a TTL of 50 have timed out. When it does
this, it tries to add the string into a cell that already has an RTT in
it, which causes the assertion to fail.
I don't understand the traceroute code well enough yet to recommend a
fix. I know that changing
if (tg->TraceProbes.size () >= MAX_TTL)
tg->setState (G_TTL);
to
if (tg->TraceProbes.size () > MAX_TTL)
tg->setState (G_TTL);
in traceroute.cc makes the problem go away. But it seems that rather
than testing the number of probes sent, the G_TTL state should be set
only when a probe with a TTL of MAX_TTL is not replied to.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Assertion failure in traceroute output David Fifield (May 08)
- Re: Assertion failure in traceroute output Eddie Bell (May 09)