Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Segfault with Nmap 4.85BETA8
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 24 Apr 2009 07:13:57 -0600

Hello Lionel,

On Fri, Apr 24, 2009 at 2:44 AM, Lionel Cons <lionel.cons () cern ch> wrote:
I'm sometimes getting a segfault while running Nmap 4.85BETA8. Here is
a backtrace:

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-23 16:39 CEST

Program received signal SIGSEGV, Segmentation fault.
0x080d7dae in lua_pushnil ()
(gdb) bt
#0  0x080d7dae in lua_pushnil ()
#1  0x080b257e in ncap_restore_lua ()
#2  0x080da35b in lua_getinfo ()
#3  0x080e2b37 in lua_close ()
#4  0x080d9c58 in lua_getinfo ()
#5  0x080da850 in lua_resume ()
#6  0x080e85c6 in luaL_openlibs ()
#7  0x080e86a8 in luaL_openlibs ()
#8  0x080da35b in lua_getinfo ()
#9  0x080e2b37 in lua_close ()
#10 0x080da66f in lua_getinfo ()
#11 0x080d85cf in lua_call ()
#12 0x080d9c58 in lua_getinfo ()
#13 0x080da936 in lua_yield ()
#14 0x080d8624 in lua_pcall ()
#15 0x080af9fb in ScriptResult::set_output ()
#16 0x080da35b in lua_getinfo ()
#17 0x080da634 in lua_getinfo ()
#18 0x080d86c8 in lua_pcall ()
#19 0x080d9c58 in lua_getinfo ()
#20 0x080da936 in lua_yield ()
#21 0x080d870d in lua_cpcall ()
#22 0x080af411 in script_scan ()
#23 0x08061ec7 in nmap_main ()
#24 0x0805d518 in main ()

This is a very bizarre backtrace with many functions that do not call
each other (lua_getinfo -> ScriptResult::set_output()). I suspect the
stack has been corrupted somehow.

On a different note, the ncap_restore_lua procedure does obtain the
lua_State * through the yield structure inside the nsock userdata. The
SEGFAULT would occur if this nsock userdata or thread had been
collected.

The bug seems to be triggered by an NSE script of mine (see attached).
The script may be buggy but IMHO it should not make Nmap segfault.
Also, this script worked fine in previous versions of Nmap, up to SVN
revision 12857 at least.

Finally, the problem is tricky. I can reproduce it when scanning many
ports on some sets of hosts. Changing the ports or the hosts scanned
sometimes makes the problem disappear, maybe a timing or race
condition problem?

Any help to improve the NSE script and/or make Nmap more robust would
be welcome.

I'm not sure this is related to any changes made to NSE since the
noted revision. I will investigate this and post my findings.

Thanks for the report,

-- 
-Patrick Donnelly

"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."

-Will Durant

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault