Fw: Segfault in nping

[Jack Grahl <mnvl16 () yahoo co uk>]

I just thought about it and I guess this doesn't totally solve the
problem because if you received a "host unreachable" or a
"fragmentation needed" ICMP error from a different host to the
destination, you still need to gather stats on that.

I checked and this crash happens with the unpatched code even when the ICMP error is for the nping probe, but from a 
different host than the target.

Jack

----- Forwarded Message ----
> From: Jack Grahl <mnvl16 () yahoo co uk>
> To: nmap-dev () insecure org
> Sent: Saturday, 8 August, 2009 14:21:38
> Subject: Segfault in nping
>
> [Luis - it was really good to chat to you last night in the restaurant :)]
> jack@lucy:~/c/nping$ sudo ./nping -c 30 192.168.1.254
>
> Starting Nping V. 0.1BETA1 ( http://nmap.org/nping ) at 2009-08-08 14:11 BST
> SENT (0.0130s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=23783 iplen=28 
> RCVD (0.0160s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1685 iplen=28 
> SENT (1.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=28854 iplen=28 
> RCVD (1.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1686 iplen=28 
> SENT (2.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=53473 iplen=28 
> RCVD (2.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1687 iplen=28 
> SENT (3.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=17904 iplen=28 
> RCVD (3.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1688 iplen=28 
> SENT (4.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=63106 iplen=28 
> RCVD (4.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1689 iplen=28 
> SENT (5.0160s) ICMP 192.168.1.67 > 192.168.1.254 Echo request (type=8/code=0) 
> ttl=64 id=31983 iplen=28 
> RCVD (5.0170s) ICMP 192.168.1.254 > 192.168.1.67 Echo reply (type=0/code=0) 
> ttl=64 id=1690 iplen=28 
> LEN 20 VER 4
> RCVD (5.1260s) ICMP 194.81.1.28 > 192.168.1.67 Host 195.195.161.54 unreachable 
> (type=3/code=1) ttl=247 id=22481 iplen=88 
> Segmentation fault
>
> When lucy receives an unrelated ICMP unreachable message from a different host 
> to the one she is scanning, there is a segfault.
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1212668224 (LWP 5735)]
> 0x080a3253 in NpingTarget::setProbeRecvICMP (this=0x0, id=0, seq=0) at 
> NpingTarget.cc:1162
> 1162    int i= this->current_stat-1;
> (gdb) bt
> #0  0x080a3253 in NpingTarget::setProbeRecvICMP (this=0x0, id=0, seq=0) at 
> NpingTarget.cc:1162
> #1  0x08077517 in nping_event_handler (nsp=0x817e0a0, nse=0x817c120, mydata=0x0) 
> at nping.cc:1622
> #2  0x080af503 in msevent_dispatch_and_delete (nsp=0x817e0a0, nse=0x817c120, 
> notify=1) at nsock_event.c:297
> #3  0x080ad598 in nsock_loop (nsp=0x817e0a0, msec_timeout=-1) at 
> nsock_core.c:945
> #4  0x0807f69e in normalProbeMode () at nping.cc:522
> #5  0x0807fc0c in main (argc=2, argv=0xbfd0a2a4) at nping.cc:218
>
> This is because nping_event_handler can't find the source of the ICMP 
> unreachable in the list of targets. I think the patch below is all that's 
> needed:
>
> --- nping.cc~   2009-08-08 13:21:10.000000000 +0100
> +++ nping.cc    2009-08-08 14:03:33.000000000 +0100
> @@ -1619,6 +1619,7 @@
>                          trg->setProbeRecvTCP(*prt, 0);
>                  }
>              }else if (o.getMode()==ICMP){
> +             if(trg != NULL)
>                  trg->setProbeRecvICMP(0, 0);
>              }
>         break;
>
>
> Yours, Jack Grahl



      

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org