Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Segfault in nping

From: Jack Grahl <mnvl16 () yahoo co uk>
Date: Sat, 8 Aug 2009 20:17:31 +0000 (GMT)

[Luis - it was really good to chat to you last night in the restaurant :)]
jack@lucy:~/c/nping$ sudo ./nping -c 30 192.168.1.254

Starting Nping V. 0.1BETA1 ( http://nmap.org/nping ) at 2009-08-08 14:11 BST
SENT (0.0130s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=23783 iplen=28 
RCVD (0.0160s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1685 iplen=28 
SENT (1.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=28854 iplen=28 
RCVD (1.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1686 iplen=28 
SENT (2.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=53473 iplen=28 
RCVD (2.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1687 iplen=28 
SENT (3.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=17904 iplen=28 
RCVD (3.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1688 iplen=28 
SENT (4.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=63106 iplen=28 
RCVD (4.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1689 iplen=28 
SENT (5.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) ttl=64 id=31983 iplen=28 
RCVD (5.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) ttl=64 id=1690 iplen=28 
LEN 20 VER 4
RCVD (5.1260s) ICMP 194.81.1.28 > 192.168.1.67 Host 195.195.161.54 unreachable (type=3/code=1) ttl=247 id=22481 
iplen=88 
Segmentation fault

When lucy receives an unrelated ICMP unreachable message from a different host to the one she is scanning, there is a 
segfault.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212668224 (LWP 5735)]
0x080a3253 in NpingTarget::setProbeRecvICMP (this=0x0, id=0, seq=0) at NpingTarget.cc:1162
1162    int i= this->current_stat-1;
(gdb) bt
#0  0x080a3253 in NpingTarget::setProbeRecvICMP (this=0x0, id=0, seq=0) at NpingTarget.cc:1162
#1  0x08077517 in nping_event_handler (nsp=0x817e0a0, nse=0x817c120, mydata=0x0) at nping.cc:1622
#2  0x080af503 in msevent_dispatch_and_delete (nsp=0x817e0a0, nse=0x817c120, notify=1) at nsock_event.c:297
#3  0x080ad598 in nsock_loop (nsp=0x817e0a0, msec_timeout=-1) at nsock_core.c:945
#4  0x0807f69e in normalProbeMode () at nping.cc:522
#5  0x0807fc0c in main (argc=2, argv=0xbfd0a2a4) at nping.cc:218

This
is because nping_event_handler can't find the source of the ICMP
unreachable in the list of targets. I think the patch below is all
that's needed:

--- nping.cc~   2009-08-08 13:21:10.000000000 +0100
+++ nping.cc    2009-08-08 14:03:33.000000000 +0100
@@ -1619,6 +1619,7 @@
                         trg->setProbeRecvTCP(*prt, 0);
                 }
             }else if (o.getMode()==ICMP){
+             if(trg != NULL)
                 trg->setProbeRecvICMP(0, 0);
             }
        break;


Yours, Jack Grahl



      

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: