Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Bug parsing TCP packet
From: David Fifield <david () bamsoftware com>
Date: Mon, 17 Jun 2013 11:05:47 -0700

On Sun, Jun 16, 2013 at 10:33:20PM +0200, Henri Doreau wrote:
2013/6/3 Gustavo Moreira <gmoreira () coresecurity com>:
Hi guys, I am working with nmap IPv6 OS fingerprinting code and I found
that when a TCP packet is padded to 32 bytes, there is a bug parsing its
TCP Options. It's because the libnetutil TCPHeader::getOption function
doesn't stop to iterate when a "End Of Options" option is found, so it
read the last padded zero as one more TCP option. In addition, it causes
that FPEngine::vectorize add more values to the "features" array, and
then it affects the final calculations when liblinear::predict_values is
I attached a .pcap so you can reproduce the bug.

Gustavo Moreira
Core Security

Thanks for the report and sorry for the late answer. I just wrote a
super simple patch (attached) that I guess should fix the issue.

David, could you have a look at the consequences on the OS FP engine?

Thanks, looks good to me. There are no consequences to the OS classifier
because we don't currently have any training examples that pad TCP in
this way.

David Fifield
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]