[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: nmap: nsock_core.c:294: handle_connect_result: Assertion `0'
From: David Fifield <david () bamsoftware ! com>
Date: 2009-04-30 23:06:37
Message-ID: 20090430230637.GA10063 () gusto
[Download RAW message or body]
On Thu, Apr 30, 2009 at 09:19:07AM +0200, Fabio wrote:
> > On Wed, Apr 29, 2009 at 03:29:20PM +0200, Fabio wrote:
> > > When trying to scan some hosts to search for the Conficker virus I get
> > > the following assertion. This is nmap 4.85BETA8 compiled from source on
> > > a SPARC machine under Linux, gcc 4.0.3.
> > >
> > > $ ./nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
> > > --script-args checkconficker=1,safe=1 -T4 192.168.29.55
> > > Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-29 15:44 CEST
> > > Strange connect error from 192.168.29.55 (42): Operation now in progress
> > > nmap: nsock_core.c:294: handle_connect_result: Assertion `0' failed.
> > > Aborted
> >
> > This is a strange error. Errno 42 is ENOMSG, "No message of desired
> > type". But perror is printing out the message for EINPROGRESS,
> > "Operation now in progress". I suppose it is possible for errno and the
> > error code returned by getsockopt to be different in this part of the
> > code.
> >
> > Does this assertion failure happen every time? If so, it would help if
> > you could send a packet capture created with tcpdump or a similar tool.
>
> The assertion is 100% reproducible with that host. A packet capture
> (with tcpdump -vvv) is attached.
Thanks. The packet trace is pretty strange. Here you send the TCP ping
probes, so far so good.
09:29:05.777093 IP (tos 0x0, ttl 56, id 3417, offset 0, flags [none], proto: TCP \
(6), length: 44) 192.168.29.1.49218 > 192.168.29.55.139: S, cksum 0x5feb (correct), \
1691702033:1691702033(0) win 1024 <mss 1460> 09:29:05.777462 IP (tos 0x0, ttl 52, id \
4850, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 > \
192.168.29.55.445: S, cksum 0x5eb9 (correct), 1691702033:1691702033(0) win 1024 <mss \
1460>
The remote host says that it doesn't understand TCP?
09:29:05.777795 IP (tos 0x0, ttl 128, id 25678, offset 0, flags [none], proto: ICMP \
(1), length: 56) 192.168.29.55 > 192.168.29.1: ICMP 192.168.29.55 protocol 6 \
unreachable, length 36
Then the scanning machine sends back another TCP packet, this time with
no header.
IP (tos 0x0, ttl 56, id 3417, offset 0, flags [none], proto: TCP (6), length: 44) \
192.168.29.1.49218 > 192.168.29.55.139: tcp 24 [bad hdr length 0 - too short, < 20]
What is the operating system of 192.168.29.55? Is there anything special
about the scanning SPARC machine? Has anyone seen traffic like that and
can provide an explanation?
I guess the ENOMSG is caused by the "protocol 6 unreachable" replies.
Can you try the attached patch and see if it fixes the problem?
David Fifield
["nsock-enomsg.diff" (text/plain)]
Index: src/nsock_core.c
===================================================================
--- src/nsock_core.c (revision 13137)
+++ src/nsock_core.c (working copy)
@@ -282,6 +282,7 @@
#endif
#ifndef WIN32
case EPIPE: /* Has been seen after connect on Linux. */
+ case ENOMSG: /* Also seen on Linux, perhaps in response to protocol unreachable. */
#endif
nse->status = NSE_STATUS_ERROR;
nse->errnum = optval;
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic