Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Bug parsing TCP packet
From: Henri Doreau <henri.doreau () gmail com>
Date: Sun, 16 Jun 2013 22:33:20 +0200

2013/6/3 Gustavo Moreira <gmoreira () coresecurity com>:
Hi guys, I am working with nmap IPv6 OS fingerprinting code and I found
that when a TCP packet is padded to 32 bytes, there is a bug parsing its
TCP Options. It's because the libnetutil TCPHeader::getOption function
doesn't stop to iterate when a "End Of Options" option is found, so it
read the last padded zero as one more TCP option. In addition, it causes
that FPEngine::vectorize add more values to the "features" array, and
then it affects the final calculations when liblinear::predict_values is
I attached a .pcap so you can reproduce the bug.

Gustavo Moreira
Core Security

Thanks for the report and sorry for the late answer. I just wrote a
super simple patch (attached) that I guess should fix the issue.

David, could you have a look at the consequences on the OS FP engine?



Attachment: get_opt_eol.patch

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]