Segfault in get_ping_pcap_result() from massping() on x86_64

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Developers,

I recently noticed that starting at or before Nmap 4.76 ping scans of
very large hostgroups causes Nmap to segfault.  To get the hostgroup
large enough it seem that --randomize-hosts is required.  Here is the
shortest command I can use to reproduce the tests:

nmap -P S139 -sP --randomize-hosts -n a.b.0.0/16

If -T5 is specified the scan crashes sooner.  -PS can be changed to -PA
without affecting the crash.  Strangely, if I compile Nmap with -g and
don't strip the binary the crash becomes hard to reproduce.  Instead of
crashing every scan it crashes once every 20 scans or so.  If I run
Nmap with "valgrind --tool=memcheck" it gets stuck in an infinite loop
and doesn't crash. Also, if I run Nmap with -d3 it doesn't seem to
crash.

Even with the above caveats, I've managed to get a core dump and
backtrace with the debug symbols intact:

Program terminated with signal 11, Segmentation fault.
#0  0x0000000000445df4 in get_ping_pcap_result (USI=0x2bdf900,
    stime=0x7fff33bf9160) at scan_engine.cc:4360
4360              if (hss->target->v4hostip()->s_addr == ip->ip_src.s_addr) {
(gdb) bt
#0  0x0000000000445df4 in get_ping_pcap_result (USI=0x2bdf900,
    stime=0x7fff33bf9160) at scan_engine.cc:4360
#1  0x0000000000446f43 in waitForResponses (USI=0x2bdf900)
    at scan_engine.cc:4579
#2  0x0000000000449a87 in ultra_scan (Targets=@0x7fff33bf9340,
    ports=<value optimized out>, scantype=PING_SCAN, to=0x6ad964)
    at scan_engine.cc:4853
#3  0x0000000000420522 in massping (hostbatch=0x4000, num_hosts=16384,
    ports=0x7fff33bfc060) at targets.cc:462
#4  0x0000000000420a81 in nexthost (hs=0x1b987d0, exclude_group=0x0,
    ports=0x7fff33bfc060, pingtype=80) at targets.cc:616
#5  0x000000000041bfdb in nmap_main (argc=9, argv=0x7fff33bff408)
    at nmap.cc:1607
#6  0x0000000000418417 in main (argc=9, argv=0x7fff33bff408) at main.cc:224
(gdb) list
4355                continue;
4356            }
4357
4358            if (ping->type == 3) {
4359              /* Destination unreachable. */
4360              if (hss->target->v4hostip()->s_addr == ip->ip_src.s_addr) {
4361                /* The ICMP error came directly from the target, so it's up. */
4362                goodone = true;
4363                newstate = HOST_UP;
4364              } else {
(gdb) p hss
$1 = (HostScanStats *) 0x0
(gdb) p ip
$2 = <value optimized out>
(gdb) p ip->ip_src
Cannot access memory at address 0xc


I haven't determined what commit caused this crash.  A also haven't
determined how hss manages to become null.  I'm willing to dig into
this more to help someone troubleshoot this problem.

In the mean time, I've added -d3 to my production scans which seems to
have allowed them to continue.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkjtM3UACgkQqaGPzAsl94JU8ACgkN9FI6eZIBcrIPnlJulQns80
jaQAn3WR8nc2OCgkVoEWl+H6LTikc5Rc
=9TYO
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org