mailing list archives
Re: Segfault with Nmap 4.85BETA8
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 24 Apr 2009 07:13:57 -0600
On Fri, Apr 24, 2009 at 2:44 AM, Lionel Cons <lionel.cons () cern ch> wrote:
I'm sometimes getting a segfault while running Nmap 4.85BETA8. Here is
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-23 16:39 CEST
Program received signal SIGSEGV, Segmentation fault.
0x080d7dae in lua_pushnil ()
#0 0x080d7dae in lua_pushnil ()
#1 0x080b257e in ncap_restore_lua ()
#2 0x080da35b in lua_getinfo ()
#3 0x080e2b37 in lua_close ()
#4 0x080d9c58 in lua_getinfo ()
#5 0x080da850 in lua_resume ()
#6 0x080e85c6 in luaL_openlibs ()
#7 0x080e86a8 in luaL_openlibs ()
#8 0x080da35b in lua_getinfo ()
#9 0x080e2b37 in lua_close ()
#10 0x080da66f in lua_getinfo ()
#11 0x080d85cf in lua_call ()
#12 0x080d9c58 in lua_getinfo ()
#13 0x080da936 in lua_yield ()
#14 0x080d8624 in lua_pcall ()
#15 0x080af9fb in ScriptResult::set_output ()
#16 0x080da35b in lua_getinfo ()
#17 0x080da634 in lua_getinfo ()
#18 0x080d86c8 in lua_pcall ()
#19 0x080d9c58 in lua_getinfo ()
#20 0x080da936 in lua_yield ()
#21 0x080d870d in lua_cpcall ()
#22 0x080af411 in script_scan ()
#23 0x08061ec7 in nmap_main ()
#24 0x0805d518 in main ()
This is a very bizarre backtrace with many functions that do not call
each other (lua_getinfo -> ScriptResult::set_output()). I suspect the
stack has been corrupted somehow.
On a different note, the ncap_restore_lua procedure does obtain the
lua_State * through the yield structure inside the nsock userdata. The
SEGFAULT would occur if this nsock userdata or thread had been
The bug seems to be triggered by an NSE script of mine (see attached).
The script may be buggy but IMHO it should not make Nmap segfault.
Also, this script worked fine in previous versions of Nmap, up to SVN
revision 12857 at least.
Finally, the problem is tricky. I can reproduce it when scanning many
ports on some sets of hosts. Changing the ports or the hosts scanned
sometimes makes the problem disappear, maybe a timing or race
Any help to improve the NSE script and/or make Nmap more robust would
I'm not sure this is related to any changes made to NSE since the
noted revision. I will investigate this and post my findings.
Thanks for the report,
"One of the lessons of history is that nothing is often a good thing
to do and always a clever thing to say."
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org