Nmap Development mailing list archives
Re: libpcap-filter patch from OpenSUSE/Mandriva
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 03 Feb 2010 17:27:15 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/30/2010 10:50 AM, Frederik Himpe wrote:
diff -ur nmap-5.21.orig/libpcap/pcap-linux.c nmap-5.21/libpcap/pcap-linux.c --- nmap-5.21.orig/libpcap/pcap-linux.c 2009-10-27 20:33:50.000000000 +0100 +++ nmap-5.21/libpcap/pcap-linux.c 2010-01-30 16:56:18.000000000 +0100 @@ -1232,8 +1232,30 @@ if (can_filter_in_kernel) { if ((err = set_kernel_filter(handle, &fcode)) == 0) { + char buf[1024]; + int oldflags; + int ret; + unsigned int received = 0, rec_len = 0; + socklen_t optlen = sizeof(rec_len); /* Installation succeded - using kernel filter. */ handle->md.use_bpf = 1; + + oldflags = fcntl(handle->fd, F_GETFL, 0); + oldflags |= O_NONBLOCK; + fcntl(handle->fd, F_SETFL, oldflags); + getsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF, + (char *)&rec_len, &optlen); + + /* now read all packets received until now */ + while((ret = read(handle->fd, buf, 1024)) > 0 + && received < rec_len) { + received += ret; + } + + if(oldflags > 0) { + oldflags &= ~O_NONBLOCK; + fcntl(handle->fd, F_SETFL, oldflags); + } } else if (err == -1) /* Non-fatal error */ {
I'm just glancing, but this looks very wrong to me. It looks like this patch is discarding packets which actually match the filter. set_kernel_filter(), which succeeds here, drains the packets received beforehand already. And besides, the "received < rec_len" loop condition looks wrong because there are no guarantees about how many packets are in the receive buffer, so you could leave extra ones or remove ones received after the read loop is started depending on the amount of data in there and how fast it's read (and when data is received). set_kernel_filter() does it right using another filter while reading. I don't think this affects Nmap since this occurs when setting the filter, but still. I don't know what this is supposed to accomplish. Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLagZTAAoJEEQxgFs5kUfu7iMQAJmTcCd48gx52mOkHRzqczpP 9yjhNo+bLjmimPw/PP3GEh+Bj3sLpRp64dGo4a9iOGY9OyEx/ArH7hslTf+fEr/K ggSn1pN7uAwcTNLsjhIIMvm4gkyf5EK4hLG+ha52c/gC5oC8KoUsnHujCrhnGSK7 fQLd13EAv8gNj5xbdhAe7R12cglvtIuHFhGrEapCBK3CZOFSR683qgualz3KZpSo 30b5uTf7SHf80wb+0ifi5zMvJNxPAqDJegQK8Y0BylqXRsrus3aTKlwZPb3AxsME tO0rPFt5ymRBBROusfC6Jg+rvVwClVDTx2GyY/EjDuyRzFjLVvPLYnZbydfzN3Sw 6dzrVHWyBIY5BgK/SlyVgMFcWD6cEGNf3o96oeQUYL5bn0GUl3ivlPa6DEgpoHOL J8DnGQYP69YQff9s72RjxVI0ITOQPG78UmF63R1apErqOtwtJsK5RtOI3dM8vsWq TwJUQ6Bp4QtFGUF5gDC4CFjJLYk6lS3/5WbjkbJIG5S8QPKuiGyHTKnOdVpEZcZa dM4iEL5AAKOE0IIb74zGWNIT8fBl5se0t6NEyfiD9Jy2ZXUbtSgMX8COBHKH3N98 v0ce65URd/CyoVAQUYPETjK83hcthkHCfTm0Lmh0MmNUB4AdXrA5DJCB+wMGom3G gnr5Y18De2U6HO3evr+2 =8906 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- libpcap-filter patch from OpenSUSE/Mandriva Frederik Himpe (Jan 30)
- Re: libpcap-filter patch from OpenSUSE/Mandriva Kris Katterjohn (Feb 03)