Assertion failure in traceroute output

[David Fifield <david () bamsoftware com>]

Hi all,

I'm David Fifield, one of the Summer of Code participants. I've been
exploring Nmap for past few weeks, and I've found a way to make an
assertion fail in Traceroute::outputTarget.

To put it briefly, when I try to trace the route to my Internet gateway
(one hop away) using its Internet-facing IP address, I get this output:

        # nmap -v -sP --traceroute 64.81.99.73

        Starting Nmap 4.21ALPHA5 ( http://insecure.org ) at 2007-05-08 11:26 MDT
        Initiating Parallel DNS resolution of 1 host. at 11:26
        Completed Parallel DNS resolution of 1 host. at 11:26, 0.00s elapsed
        Initiating Traceroute at 11:26
        64.81.99.73: guessing hop distance at 49
        Completed Traceroute at 11:26, 0.01s elapsed
        Host goomba.bamsoftware.com (64.81.99.73) appears to be up.
        nmap: NmapOutputTable.cc:172: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, 
int): Assertion `cell->str == __null' failed.
        Aborted

The assertion fails even with other scan types, such as -sS, and when
run in debugging mode. I have also been able to reproduce this on other
hosts across the Internet, for example speakeasy.net, though most hosts
I've tried work fine. I'm running the trace from a 192.168.0.0/24
address. If I run the trace against the gateway's LAN address
192.168.0.1, I get no traceroute output because traceroute skips
directly connected hosts.

The assertion is in NmapOutputTable::addItem, at line 172 in
NmapOutputTable.cc. It checks to make sure a cell is empty before adding
an item into it. I found that what was already there was the RTT to the
gateway (a string like "0.06") and what was being added to the same cell
was the string "... 50".

I think the key is that the hop distance is guessed to be 49. Ordinarily
I would expect this to send 49 probes (TTLs 49 to 1), but the traceroute
sends one probe with a TTL of 255 at the beginning, making the total 50.
I've attached a file with --packet-trace output.

At line 730 of traceroute.cc, there is a check of the number of probes
sent against MAX_TTL, which is 50. When the number of probes reaches 50,
the state G_TTL is set on the TraceGroup. Later, at line 1049,
outputTarget checks for the state G_TTL, and if it is set, it puts the
string "... 50" in the RTT column of the output table, which is meant to
indicate that all probes up to a TTL of 50 have timed out. When it does
this, it tries to add the string into a cell that already has an RTT in
it, which causes the assertion to fail.

I don't understand the traceroute code well enough yet to recommend a
fix. I know that changing

        if (tg->TraceProbes.size () >= MAX_TTL)
            tg->setState (G_TTL);

to

        if (tg->TraceProbes.size () > MAX_TTL)
            tg->setState (G_TTL);

in traceroute.cc makes the problem go away. But it seems that rather
than testing the number of probes sent, the G_TTL state should be set
only when a probe with a TTL of MAX_TTL is not replied to.

David Fifield

Attachment: traceroute-packet-trace.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org