Nmap Development mailing list archives

Re: Bug in nmap 5.20 (nsock_core.c:516: handle_write_result)

From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Jan 2010 23:23:35 -0700

On Wed, Jan 20, 2010 at 10:57:13PM +0200, pyllyukko wrote:

Hello list.

So I downloaded the brand new nmap 5.20 and set off to scan my lan. nmap  
suddenly crashed stating: "nmap: nsock_core.c:516: handle_write_result:  
Assertion `bytesleft > 0' failed".

I briefly tried to debug it, and narrowed down the cause.

Here's the exact command used, it's 100% reproducible (on my system, that 
is):
nmap -sS --script http-userdir-enum.nse --script-args=unsafe=1 - 
--script-trace -PR -T 4 -p80 -oA 192.168.0.2-%Y%m%d%R-debug -d9 - 
--log-errors --reason -R 192.168.0.2

Here's the last few lines of the debug output:
NSOCK (0.1860s) Write request for 149 bytes to IOD #3 EID 91  
[192.168.0.2:80]
NSOCK (0.1860s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1860s) Callback: WRITE SUCCESS for EID 91 [192.168.0.2:80]
NSE: TCP 192.168.0.35:37821 > 192.168.0.2:80 | CLOSE
NSE: Received only 0 of 1 expected reponses.
Decreasing max pipelined requests to 0.
NSOCK (0.1870s) TCP connection requested to 192.168.0.2:80 (IOD #4) EID 96
NSOCK (0.1870s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1870s) Callback: CONNECT SUCCESS for EID 96 [192.168.0.2:80]
NSE: TCP 192.168.0.35:37822 > 192.168.0.2:80 | CONNECT
NSE: TCP 192.168.0.35:37822 > 192.168.0.2:80 |
NSOCK (0.1870s) Write request for 0 bytes to IOD #4 EID 107  
[192.168.0.2:80]:
nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0'  
failed.
NSOCK (0.1880s) nsock_loop() started (timeout=50ms). 1 events pending

Now what?-)


Thanks. Brandon Enright found this bug today too. It has to do with
recent changes to the http library. What's happening is there is an
error getting the first pipeline response, and so the code erroneously
reduces the pipeline capacity to 0, when it really should bail out. It
then tries to do a zero-byte write, which causes the assertion failure.

I think I'll have a fix for this tomorrow. In the meantime, it would
help if you could send me a packet capture or --packet-trace of the HTTP
request and response, to see what is making the first response retrieval
fail.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Bug in nmap 5.20 (nsock_core.c:516: handle_write_result) pyllyukko (Jan 20)
- Re: Bug in nmap 5.20 (nsock_core.c:516: handle_write_result) David Fifield (Jan 20)
  - Re: Bug in nmap 5.20 (nsock_core.c:516: handle_write_result) David Fifield (Jan 21)