Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Bug parsing TCP packet
From: Gustavo Moreira <gmoreira () coresecurity com>
Date: Mon, 3 Jun 2013 18:42:48 -0300

Hi guys, I am working with nmap IPv6 OS fingerprinting code and I found
that when a TCP packet is padded to 32 bytes, there is a bug parsing its
TCP Options. It's because the libnetutil TCPHeader::getOption function
doesn't stop to iterate when a "End Of Options" option is found, so it
read the last padded zero as one more TCP option. In addition, it causes
that FPEngine::vectorize add more values to the "features" array, and
then it affects the final calculations when liblinear::predict_values is
called.
I attached a .pcap so you can reproduce the bug.

Regards,
Gustavo Moreira
Core Security

Attachment: gcm-bad-tcpoptions.pcap
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]