Re: libpcap-filter patch from OpenSUSE/Mandriva

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/30/2010 10:50 AM, Frederik Himpe wrote:
> diff -ur nmap-5.21.orig/libpcap/pcap-linux.c nmap-5.21/libpcap/pcap-linux.c
> --- nmap-5.21.orig/libpcap/pcap-linux.c       2009-10-27 20:33:50.000000000 +0100
> +++ nmap-5.21/libpcap/pcap-linux.c    2010-01-30 16:56:18.000000000 +0100
> @@ -1232,8 +1232,30 @@
>       if (can_filter_in_kernel) {
>               if ((err = set_kernel_filter(handle, &fcode)) == 0)
>               {
> +                     char buf[1024];
> +                     int oldflags;
> +                     int ret;
> +                     unsigned int received = 0, rec_len = 0;
> +                     socklen_t optlen = sizeof(rec_len);
>                       /* Installation succeded - using kernel filter. */
>                       handle->md.use_bpf = 1;
> +
> +                     oldflags = fcntl(handle->fd, F_GETFL, 0);
> +                     oldflags |= O_NONBLOCK;
> +                     fcntl(handle->fd, F_SETFL, oldflags);
> +                     getsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF,
> +                                (char *)&rec_len, &optlen);
> +
> +                        /* now read all packets received until now */
> +                     while((ret = read(handle->fd, buf, 1024)) > 0
> +                           && received < rec_len) {
> +                         received += ret;
> +                     }
> +
> +                     if(oldflags > 0) {
> +                         oldflags &= ~O_NONBLOCK;
> +                         fcntl(handle->fd, F_SETFL, oldflags);
> +                     }
>               }
>               else if (err == -1)     /* Non-fatal error */
>               {

I'm just glancing, but this looks very wrong to me.  It looks like this patch
is discarding packets which actually match the filter.  set_kernel_filter(),
which succeeds here, drains the packets received beforehand already.

And besides, the "received < rec_len" loop condition looks wrong because there
are no guarantees about how many packets are in the receive buffer, so you
could leave extra ones or remove ones received after the read loop is started
depending on the amount of data in there and how fast it's read (and when data
is received).  set_kernel_filter() does it right using another filter while
reading.

I don't think this affects Nmap since this occurs when setting the filter, but
still.  I don't know what this is supposed to accomplish.

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLagZTAAoJEEQxgFs5kUfu7iMQAJmTcCd48gx52mOkHRzqczpP
9yjhNo+bLjmimPw/PP3GEh+Bj3sLpRp64dGo4a9iOGY9OyEx/ArH7hslTf+fEr/K
ggSn1pN7uAwcTNLsjhIIMvm4gkyf5EK4hLG+ha52c/gC5oC8KoUsnHujCrhnGSK7
fQLd13EAv8gNj5xbdhAe7R12cglvtIuHFhGrEapCBK3CZOFSR683qgualz3KZpSo
30b5uTf7SHf80wb+0ifi5zMvJNxPAqDJegQK8Y0BylqXRsrus3aTKlwZPb3AxsME
tO0rPFt5ymRBBROusfC6Jg+rvVwClVDTx2GyY/EjDuyRzFjLVvPLYnZbydfzN3Sw
6dzrVHWyBIY5BgK/SlyVgMFcWD6cEGNf3o96oeQUYL5bn0GUl3ivlPa6DEgpoHOL
J8DnGQYP69YQff9s72RjxVI0ITOQPG78UmF63R1apErqOtwtJsK5RtOI3dM8vsWq
TwJUQ6Bp4QtFGUF5gDC4CFjJLYk6lS3/5WbjkbJIG5S8QPKuiGyHTKnOdVpEZcZa
dM4iEL5AAKOE0IIb74zGWNIT8fBl5se0t6NEyfiD9Jy2ZXUbtSgMX8COBHKH3N98
v0ce65URd/CyoVAQUYPETjK83hcthkHCfTm0Lmh0MmNUB4AdXrA5DJCB+wMGom3G
gnr5Y18De2U6HO3evr+2
=8906
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/