Date: Thu, 9 Mar 2006 11:22:51 +0100 (CET) From: Daniel Roethlisberger <daniel@roe.ch> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Alan Amesbury <amesbury@umn.edu>, daniel@roe.ch Subject: ports/94264: [maintainer] security/nmap: fix infinite loop in scan engine Message-ID: <200603091022.k29AMpxh016850@aphrodite.roe> Resent-Message-ID: <200603091040.k29Ae455013148@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 94264
>Category: ports
>Synopsis: [maintainer] security/nmap: fix infinite loop in scan engine
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 09 10:40:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Daniel Roethlisberger
>Release: FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD aphrodite.roe 5.4-STABLE FreeBSD 5.4-STABLE #7: Mon Oct 10 18:02:44 CEST 2005 root@aphrodite.roe:/usr/obj/usr/src/sys/APHRODITE i386
>Description:
Add: files/patch-scan_engine.cc
- Add patch resolving an infinite loop in the scan engine
- Bump PORTREVISION
Requested by: Alan Amesbury <amesbury@umn.edu>
>How-To-Repeat:
>Fix:
--- nmap-4.01-loopfix.diff begins here ---
diff -ruN nmap.orig/Makefile nmap/Makefile
--- nmap.orig/Makefile Sat Feb 18 12:20:31 2006
+++ nmap/Makefile Thu Mar 9 10:59:18 2006
@@ -7,6 +7,7 @@
PORTNAME?= nmap
PORTVERSION= ${DISTVERSION:L:C/([a-z])[a-z]+/\1/g:C/[^a-z0-9+]+/./g}
+PORTREVISION= 1
CATEGORIES= security ipv6
MASTER_SITES= http://download.insecure.org/nmap/dist/ \
http://www.mirrors.wiretapped.net/security/network-mapping/nmap/ \
diff -ruN nmap.orig/files/patch-scan_engine.cc nmap/files/patch-scan_engine.cc
--- nmap.orig/files/patch-scan_engine.cc Thu Jan 1 01:00:00 1970
+++ nmap/files/patch-scan_engine.cc Thu Mar 9 11:03:44 2006
@@ -0,0 +1,45 @@
+$FreeBSD$
+
+Patch taken from <20060217013528.GG7214@syn.lnxnet.net>.
+http://seclists.org/lists/nmap-dev/2006/Jan-Mar/0205.html
+Will be included in nmap 4.02.
+
+--- scan_engine.cc.ORIG Wed Mar 8 13:36:06 2006
++++ scan_engine.cc Wed Mar 8 13:40:44 2006
+@@ -807,6 +807,7 @@
+
+ /* Returns true if the GLOBAL system says that sending is OK.*/
+ bool GroupScanStats::sendOK() {
++ int recentsends;
+
+ if (USI->scantype == CONNECT_SCAN && CSI->numSDs >= CSI->maxSocketsAllowed)
+ return false;
+@@ -815,7 +816,9 @@
+ the last listen call, at least for systems such as Windoze that
+ don't give us a proper pcap time. Also for connect scans, since
+ we don't get an exact response time with them either. */
+- if (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid()) {
++ recentsends = USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait;
++ if (recentsends > 0 &&
++ (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid())) {
+ int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
+ if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
+ return false;
+@@ -828,7 +831,7 @@
+ responses when I scan localhost. And half of those are the @#$#
+ sends being received. I think I'll put a limit of 50 sends per
+ wait */
+- if (USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait >= 50)
++ if (recentsends >= 50)
+ return false;
+
+ /* When there is only one target left, let the host congestion
+@@ -969,7 +972,7 @@
+
+ getTiming(&tmng);
+ if (tmng.cwnd >= num_probes_active + .5 &&
+- (freshPortsLeft() || num_probes_waiting_retransmit)) {
++ (freshPortsLeft() || num_probes_waiting_retransmit || !retry_stack.empty())) {
+ if (when) *when = USI->now;
+ return true;
+ }
--- nmap-4.01-loopfix.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603091022.k29AMpxh016850>