Fix ICMP Time Exceeded handling. See #110, #2153

We attempted to fix this twice already, so this change reverses r36709 (which simply ignored all Time Exceeded messages for host discovery, leading to long scan times when the TTL is insufficient) and r34557 (which used incorrect logic to match ICMP responses, resulting in ignoring all ICMP error messages in response to ICMP probes, e.g. Time Exceeded for Echo Request). Instead, we'll correctly verify that the ICMP ID of the *encapsulated datagram* matches the one for the probe we are attempting to match.
2025-12-15 04:09:01 +00:00 · 2020-10-21 20:51:15 +00:00
parent 532d5a555e
commit 19286e796d
1 changed files with 7 additions and 3 deletions
--- a/scan_engine_raw.cc
+++ b/scan_engine_raw.cc
@@ -627,14 +627,14 @@ int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
          if (probe->protocol() != encaps_hdr.proto ||
              sockaddr_storage_cmp(&target_src, &hdr.dst) != 0 ||
              sockaddr_storage_cmp(&target_src, &encaps_hdr.src) != 0 ||
-              sockaddr_storage_cmp(&target_dst, &encaps_hdr.dst) != 0 ||
-              ((probe->protocol() == IPPROTO_ICMP || probe->protocol() == IPPROTO_ICMPV6) &&
-               ntohs(ping->id) != probe->icmpid()))
+              sockaddr_storage_cmp(&target_dst, &encaps_hdr.dst) != 0)
            continue;

          if ((encaps_hdr.proto == IPPROTO_ICMP || encaps_hdr.proto == IPPROTO_ICMPV6)
              && USI->ptech.rawicmpscan) {
            /* The response was based on a ping packet we sent */
+            if (probe->icmpid() != ntohs(((struct icmp *) encaps_data)->icmp_id))
+              continue;
          } else if (encaps_hdr.proto == IPPROTO_TCP && USI->ptech.rawtcpscan) {
            struct tcp_hdr *tcp = (struct tcp_hdr *) encaps_data;
            if (probe->dport() != ntohs(tcp->th_dport) ||
@@ -688,6 +688,10 @@ int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
                   || (hdr.proto == IPPROTO_ICMPV6 && ping->type == 3)) {
          if (o.debugging)
            log_write(LOG_STDOUT, "Got Time Exceeded for %s\n", hss->target->targetipstr());
+          goodone = 1;
+          newstate = HOST_DOWN;
+          /* I don't want anything to do with timing this. */
+          adjust_timing = false;
        } else if (hdr.proto == IPPROTO_ICMP && ping->type == 4) {
          if (o.debugging)
            log_write(LOG_STDOUT, "Got ICMP source quench\n");