Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: nmap 4.50 and 4.60: little display error

Re: nmap 4.50 and 4.60: little display error

From: Andrew J. Bennieston <harriergr7_at_gmail.com>
Date: Tue, 08 Apr 2008 21:37:04 +0100

David Fifield wrote:
> On Tue, Apr 08, 2008 at 09:21:19PM +0200, sfijn_at_xs4all.nl wrote:
>> Hi nmap-dev
>>
>> I came across a little error in nmap: it seems to drop the last decimal of
>> the IP address.
>> Discovered in version 4.50, upgraded to 4.60 but still the same.
>>
>> --------------------------
>> F:\WINNT>nmap -vv -PN -sI 192.168.40.24 192.168.40.129
>>
>> Starting Nmap 4.60 ( http://insecure.org ) at 2008-04-08 21:06 Hora de
>> verano romance
>> Initiating ARP Ping Scan at 21:06
>> Scanning 192.168.40.129 [1 port]
>> Completed ARP Ping Scan at 21:06, 0.09s elapsed (1 total hosts)
>> Initiating Parallel DNS resolution of 1 host. at 21:06
>> Completed Parallel DNS resolution of 1 host. at 21:06, 0.02s elapsed
>>
>> Initiating idle scan against 192.168.40.12 at 21:06 <<======`9?MISSING
>>
>> Idle scan zombie 192.168.40.24 (192.168.40.24) port 80 cannot be used
>> because it has not returned any of our probes -- perhaps it is down or
>> fire
>> walled.
>> QUITTING!
>
> Thanks Stephen. There was not enough space allocated to show the IP
> address, so sometimes it was truncated. I committed a fix that just
> increases the size of the buffer.
>
> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>

I was bored, so I've created the patch below to cause the scanname
buffer (idlescan.cc:991) to be dynamically allocated with a size large
enough to contain the text "idle scan against " followed by the full
contents of target->NameIP(). This means it'll never truncate the
output, at the expense of
[1] A malloc() where one isn't really required other than for aesthetics
[2] The possibility that a (very, very) long DNS entry could use a lot
of memory here!

Extending the buffer size is a pretty good solution, I'm submitting this
on the off-chance that aesthetics matter sufficiently! It's a patch
against the nmap-4.60 release tarball.

Andrew J. Bennieston

diff -u nmap-4.60-old/idle_scan.cc nmap-4.60/idle_scan.cc
--- nmap-4.60-old/idle_scan.cc 2008-02-28 18:52:06.000000000 +0000
+++ nmap-4.60/idle_scan.cc 2008-04-08 21:20:26.625913874 +0100
@@ -988,10 +988,13 @@
   int portidx = 0; /* Used for splitting the port array into chunks */
   int portsleft;
   time_t starttime;
- char scanname[32];
- Snprintf(scanname, sizeof(scanname), "idle scan against %s", target->NameIP());
+ int scanname_len = 19+strlen(target->NameIP());
+ char *scanname = (char*)malloc(scanname_len);
+ Snprintf(scanname, scanname_len, "idle scan against %s", target->NameIP());
   ScanProgressMeter SPM(scanname);
 
+ free(scanname); /* If this is too soon, could move it to the end, but there are no further references */
+
   if (numports == 0) return; /* nothing to scan for */
   if (!proxyName) fatal("idle scan requires a proxy host");
 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Apr 08 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos