mailing list archives
Re: Bug parsing TCP packet
From: Henri Doreau <henri.doreau () gmail com>
Date: Sun, 16 Jun 2013 22:33:20 +0200
2013/6/3 Gustavo Moreira <gmoreira () coresecurity com>:
Hi guys, I am working with nmap IPv6 OS fingerprinting code and I found
that when a TCP packet is padded to 32 bytes, there is a bug parsing its
TCP Options. It's because the libnetutil TCPHeader::getOption function
doesn't stop to iterate when a "End Of Options" option is found, so it
read the last padded zero as one more TCP option. In addition, it causes
that FPEngine::vectorize add more values to the "features" array, and
then it affects the final calculations when liblinear::predict_values is
I attached a .pcap so you can reproduce the bug.
Thanks for the report and sorry for the late answer. I just wrote a
super simple patch (attached) that I guess should fix the issue.
David, could you have a look at the consequences on the OS FP engine?
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/