Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ncat should try connecting to all resolved addresses, not only the first one

From: Jaromir Koncicky <jkoncick () redhat com>
Date: Tue, 3 Dec 2013 15:20:34 -0500 (EST)
Bump:
Could you please look and this and give me a feedback?
I'd like to finish this issue and make an acceptable patch which could be included in nmap.
Thanks!

----- Original Message -----
From: "Jaromir Koncicky" <jkoncick () redhat com>
To: "David Fifield" <david () bamsoftware com>
Cc: dev () nmap org
Sent: Thursday, November 7, 2013 10:14:18 AM
Subject: Re: ncat should try connecting to all resolved addresses, not only     the first one

Hi, I'm back here with a new patch.
I made two new versions of the patch, both can be found in https://bugzilla.redhat.com/show_bug.cgi?id=978964#c9 
(comments #9 and #11).
As you can read there, I've made it without goto and global pointer, which I didn't like either.
In the first patch I'm using a fixed size array for storing the addresses, in the second I'm using dynamically 
allocated linked list and also passing next address via client-data in callback function.
I still don't think it's 100% ideal, because I still mainly use only the first field of addresses list in many cases it 
was used before and using the full list in just one case - when ncat simply connects to a server.
But I think this can now be the right way to implement the more-address support.
I'm again awaiting your feedback, thanks!

----- Original Message -----
From: "David Fifield" <david () bamsoftware com>
To: "Jaromir Koncicky" <jkoncick () redhat com>
Cc: dev () nmap org
Sent: Tuesday, September 10, 2013 11:54:16 PM
Subject: Re: ncat should try connecting to all resolved addresses, not only     the first one

On Mon, Sep 02, 2013 at 12:26:24PM -0400, Jaromir Koncicky wrote:

I made a patch which adds this functionality: if one resolved address fails, next one is tried.
You can find it there: https://bugzilla.redhat.com/show_bug.cgi?id=978964#c6

I am not very familiar with the code, so I'd like to consult how to do
this better. I don't think the way I made it is ideal and would like
to make it more acceptable.


Thanks for the patch.

I agree with Thomas Hozza's comments at
https://bugzilla.redhat.com/show_bug.cgi?id=978964#c7.

You can't use global state in the resolver. What you will want to do is
store all the potential addresses of the target in ncat_main.c. Then in
ncat_connect, call nsock_connect_{tcp,ssl,sctp,udp} with the first
address. Then, in connect_handler, if the connection timed out, do
another nsock_connect_{tcp,ssl,sctp,udp} on the next address.

The changes aren't trivial, and I'm also not sure they are completely
specified--for example, what should happen if a port is closed on IPv6
but open on IPv4? Is "connection refused" the same as "timed out" for
the purposes of attempting to reconnect? Suppose it does, you have a
script that relies on this behavior--then what happens if someone
manages to open the IPv6 port and intercept your connection?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: