Nmap Development mailing list archives
Service scan on link-local IPv6 address without -e option causes Nmap to crash
From: "Mathias Morbitzer" <m.morbitzer () runbox com>
Date: Wed, 02 Mar 2016 17:09:06 +0100 (CET)
Hello everyone, I've been executing an Nmap scan with the following commandline: sudo ./nmap -6 fe80::20c:29ff:feb9:7b9d -sV -p 111 -dd When reaching the service scan, Nmap crashes with the following output: [..] Initiating Service scan at 03:20 Scanning 2 services on fe80::20c:29ff:feb9:7b9d NSOCK INFO [1.8880s] nsock_iod_new2(): nsock_iod_new (IOD #1) Starting probes against new service: fe80::20c:29ff:feb9:7b9d:22 (tcp) NSOCK INFO [1.8880s] nsock_connect_tcp(): TCP connection requested to fe80::20c:29ff:feb9:7b9d:22 (IOD #1) EID 8 NSOCK INFO [1.8880s] nsock_trace_handler_callback(): Callback: CONNECT ERROR [Invalid argument (22)] for EID 8 [fe80::20c:29ff:feb9:7b9d:22] Got nsock CONNECT response with status ERROR - aborting this service NSOCK INFO [1.8880s] nsock_iod_delete(): nsock_iod_delete (IOD #1) NSOCK INFO [1.8880s] nsock_iod_new2(): nsock_iod_new (IOD #2) Starting probes against new service: fe80::20c:29ff:feb9:7b9d:111 (tcp) NSOCK INFO [1.8880s] nsock_connect_tcp(): TCP connection requested to fe80::20c:29ff:feb9:7b9d:111 (IOD #2) EID 16 NSOCK INFO [1.8880s] nsock_trace_handler_callback(): Callback: CONNECT ERROR [Invalid argument (22)] for EID 16 [fe80::20c:29ff:feb9:7b9d:111] Got nsock CONNECT response with status ERROR - aborting this service NSOCK INFO [1.8880s] nsock_iod_delete(): nsock_iod_delete (IOD #2) *** Error in `nmap': double free or corruption (out): 0x0000000003885060 *** I found the problem in the nsock_connect_internal() function in nsock/src/nsock_connect.c . When a link-local IPv6 address is used without stating with -e which interface to use, sin6->sin6_scope_id is not initialized, causing the connect() function to return with error code 22. I wanted to provide a patch, but I actually don't know in which way to fix this. When trying to scan a link-local address without stating an interface, most other tools just quit and require the specification of an interface. However, Nmap is also able to do the portscan without having an interface implicitly specified, so why shouldn't it also be able to perform the service scan? Being able to do the service scan without stating the interface would require sin6->sin6_scope_id to either be set in nsock_connect_internal(), or even before. However, I'm having troubles to figure out where the best place to add this code would be, and how I would be able to access information about the interface Nmap has used for the port scan. Maybe somebody with more experience in the code base could point me in the right direction? Further, I think that even if nsock_connect_internal() is not able to establish a connection, Nmap still shouldn't crash. However, I was not yet able to figure where memory is freed twice in case something goes wrong... Regards, Mathias _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service scan on link-local IPv6 address without -e option causes Nmap to crash Mathias Morbitzer (Mar 02)
- Re: Service scan on link-local IPv6 address without -e option causes Nmap to crash Daniel Miller (Mar 04)
- Re: Service scan on link-local IPv6 address without -e option causes Nmap to crash Mathias Morbitzer (Mar 05)
- Re: Service scan on link-local IPv6 address without -e option causes Nmap to crash Daniel Miller (Mar 04)