Re: More nsock socket_count_write_dec assert() failures

[David Fifield <david () bamsoftware com>]

On Sat, Feb 27, 2010 at 02:40:02AM +0000, Brandon Enright wrote:
> > It would help if you recompile with debugging and without
> > optimization. It looks like calls are getting inlined and it's hard
> > to tell where under nsock_loop the function is being called.
> >
> > Can you tell if this particular host is being connected to with SSL?
>
> Okay here is a full backtrace without optimization or stripping:
>
> (gdb) bt
> #0  0x00007fd90545a205 in raise () from /lib/libc.so.6
> #1  0x00007fd90545b723 in abort () from /lib/libc.so.6
> #2  0x00007fd905453229 in __assert_fail () from /lib/libc.so.6
> #3  0x00000000005b543e in socket_count_write_dec (iod=<value optimized out>, 
>     ms=<value optimized out>) at nsock_core.c:199

This is weird:

> #4  0x00000000005b5b4e in handle_write_result (ms=0x196b150, nse=0x248eb80, 
>     status=<value optimized out>) at nsock_core.c:536
> #5  0x00000000005b727c in nsock_loop (nsp=0x196b150, msec_timeout=50)
>     at nsock_core.c:937

It doesn't look to me like these two lines can both execute. The first
one (#4, line 536) is

    531       if (iod->ssl) {
    532 #if HAVE_OPENSSL
    533         err = SSL_get_error(iod->ssl, res);
    534         if (err == SSL_ERROR_WANT_READ) {
    535           nse->sslinfo.ssl_desire = err;
    536           socket_count_write_dec(iod, ms);
    537           socket_count_read_inc(iod, ms);
    538         } else if (err == SSL_ERROR_WANT_WRITE) {
    539           nse->sslinfo.ssl_desire = err;
    540         } else {
    541           /* Unexpected error */
    542           nse->event_done = 1;
    543           nse->status = NSE_STATUS_ERROR;
    544           nse->errnum = EIO;
    545         }
    546 #endif
    547       } else {

The second one (#5, line 937) is

    928 #if HAVE_OPENSSL
    929             desire_r = nse->sslinfo.ssl_desire == SSL_ERROR_WANT_READ;
    930             desire_w = nse->sslinfo.ssl_desire == SSL_ERROR_WANT_WRITE;
    931             if (nse->iod->ssl && ((desire_r && match_r) ||
    932                                   (desire_w && match_w)))
    933               handle_write_result(nsp, nse, NSE_STATUS_SUCCESS);
    934             else
    935 #endif
    936             if (!nse->iod->ssl && match_w)
    937               handle_write_result(nsp, nse, NSE_STATUS_SUCCESS);

It looks like #4 can only execute if iod->ssl is true, and #5 can only
execute if iod->ssl is not true.

Can you tell from the logs if this particular IOD is trying to use SSL?
You can send me the end of the log.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/