Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Surface pro 3 debug build

From: Peter Malecka <peter.malecka () me com>
Date: Thu, 12 Feb 2015 15:11:25 +0100
Dan,

 

I believe that everything works just fine after applying the fix. While the error buffer contains some data, the 
function returns without an error. 


From what I saw it seems that while enumerating the devices, wpcap encounters an issue opening a device – writes stuff 
to errbuf, skips the device and continues enumerating other devices.


 

After applying the fix I mentioned, everything seems to work just fine, and I am actually able to run “nmap 
scanme.nmap.org” and get a meaningful output.

 

p_ifaces contains two entries:

-                           p_ifaces              0x02c22f70 {next=0x02c21170 {next=0x00000000 <NULL> name=0x02c22c60 
"\\Device\\NPF_{77524534-162F-4DAE-91EC-9093F61CFE6E}" ...} ...}             pcap_if *

+                           next      0x02c21170 {next=0x00000000 <NULL> name=0x02c22c60 
"\\Device\\NPF_{77524534-162F-4DAE-91EC-9093F61CFE6E}" ...}        pcap_if *

+                           name    0x02c30178 "\\Device\\NPF_{8506B6A6-4EE6-40B4-BA32-B20C01604203}"  char *

+                           description        0x02c22fa0 "Microsoft" char *

+                           addresses          0x02c301c8 {next=0x00000000 <NULL> addr=0x02c301f8 {sa_family=2 
sa_data=0x02c301fa "" } netmask=0x02c30290 {...} ...}  pcap_addr *

                             flags      0            unsigned int

 

errbuf contains "failed to set hardware filter to non-promiscuous mode" – as a result of wpcap trying to open that 
Wifi-Direct adapter and failing

 

pcap_findalldevs returned 0

 

That is an undocumented behaviour, but according to their documentation, you should only check errbuf when the return 
value is -1. It does imply that the errbuf should be empty otherwise, but does not implicitly state that.

 

I think applying the fix does not break anything for existing users – since I copied the code from a sample and seems 
to fix this issue. Also – should there be any other error there (while pcap_findalldevs returns -1 and the errbuf is 
expected to be filled), having the errbuf set to NULL most likely cause a similar crash.

 

As for treating this as warning – I would not bother checking the errbuf when the function returns 0 (success), since 
it may or may not be used and it may or may not contain meaningful data.

 

Peter

 

From: Daniel Miller [mailto:bonsaiviking () gmail com] 
Sent: Thursday, February 12, 2015 2:42 PM
To: Peter Malecka; Nmap-dev
Subject: Re: Surface pro 3 debug build

 

Peter,

Thanks so much! This is really helpful information. Unfortunately, it still looks like this ends up making Nmap 
unusable on this platform, since we just traded a crash (worst) for a fatal error (still bad). Can you see, while you 
debug, whether the pcap_if_t structures (pcapdevs and p_ifaces) have any valid content in them after pcap_findalldevs 
returns with error status? In other words, can we treat this error as a warning ("Can't enumerate all interfaces" or 
something) and still make do with the interfaces that *are* supported? It's a long shot, but might be worthwhile to 
check.

Dan

 

On Thu, Feb 12, 2015 at 4:26 AM, Peter Malecka <peter.malecka () me com <mailto:peter.malecka () me com> > wrote:

Daniel,

 

I poked around wpcap source, compiled it from soruce and debugged some more. 

 

I found a possible issue there. When those wpcap functions are called, they sometimes have the errbuf argument set to 
null. The documentation does not state that the argument can be null.  
<http://www.tcpdump.org/manpages/pcap_findalldevs.3pcap.html> 
http://www.tcpdump.org/manpages/pcap_findalldevs.3pcap.html 

 

I tried fixing this issue for the --iflist command, and succeeded. I had to fix it in these 2 places:

 

intf-win32.c

char errbuf[PCAP_ERRBUF_SIZE];

 

       if (pcap_findalldevs(&pcapdevs, errbuf) == -1) {

              intf_close(intf);

              return (-1);

       }

 

tcpip.cc

char errbuf[PCAP_ERRBUF_SIZE];

 

  if ((pcap_findalldevs(&p_ifaces, errbuf)) == -1) {

    fatal("pcap_findalldevs() : Cannot retrieve pcap interfaces");

    return NULL;

  }

 

Note the new errbuf variable and how it is used in the pcap_findalldevs function instead of a null argument. There 
might be more places where this causes issues.

 

On a sidenote: it was failing on the Microsoft Wifi direct virtual adapter. See attached the callstack from winpcap 
debug (crash on strncpy to an empty errbuf).

 

Hope it helps.

 

Peter

 

From: Daniel Miller [mailto: <mailto:bonsaiviking () gmail com> bonsaiviking () gmail com] 
Sent: Thursday, February 5, 2015 11:17 PM
To: Peter Malecka


Subject: Re: Surface pro 3 debug build

 

Peter,

Thank you so much! I will see what I can do from here.

Dan

 

On Thu, Feb 5, 2015 at 3:27 PM, Peter Malecka <peter.malecka () me com <mailto:peter.malecka () me com> > wrote:

Hi Dan,

 

I followed your instructions and ran the debugger in vs2013 (nmap --iflist).

 

Please find attached all the output I could generate now. 

 

In the callstack.txt, there is the line and details of the wpcap call that failed (pcap_findalldevs(&p_ifaces, NULL)), 
the rest is wpcap debug output. I cannot see any deeper without the wpcap pdb.

 

Hope it helps,

 

Peter

 

From: Daniel Miller [mailto: <mailto:bonsaiviking () gmail com> bonsaiviking () gmail com] 
Sent: Thursday, February 5, 2015 6:02 PM
To: Peter Malecka
Cc:  <mailto:dmiller () nmap org> dmiller () nmap org
Subject: Re: Surface pro 3 debug build

 

Peter,

Thanks for offering to help. I've gotten several offers, but no follow-up. We really need a backtrace of the actual 
call that fails. Anything you can provide beyond that would be great, too. You can get the debug package here: <snip>

 

There are bug reporting instructions on WinPcap's web site which will probably help to create better debug output: 
http://www.winpcap.org/bugs.htm

Thanks!
Dan

 

On Thu, Feb 5, 2015 at 6:38 AM, Peter Malecka <peter.malecka () me com <mailto:peter.malecka () me com> > wrote:

Hi Dan,

 

While looking at this issue on github ( https://github.com/nmap/nmap/issues/15 ), I found that you might be looking for 
people to help you debug new builds.

 

Let me know if I can help.

 

Best,

 

Peter

 

 

 


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: