From 22270f68689958fc74848db5812f0f9508cc6dd8 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 13 Oct 2012 20:37:21 +0000
Subject: [PATCH] Decrease the value of the OS scan T test value by 1.

I changed the hop distance calculation in r26791 to include the end
host, so that a directly connected target would be a distance 1, not 0,
and so on. But I didn't adjust the calculation of the T test value to
compensate. I noticed this in a lot of OS submissions that were directly
connected having an estimated initial TTL of T=41, i.e., 65 rather than
64.

http://seclists.org/nmap-dev/2011/q3/796
---
 osscan2.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/osscan2.cc b/osscan2.cc
index c88ee0786..e2b429ec7 100644
--- a/osscan2.cc
+++ b/osscan2.cc
@@ -1968,9 +1968,10 @@ void HostOsScan::makeFP(HostOsScanStats *hss) {
 
             if (hss->distance != -1) {
                 /* We've gotten response for the UDP probe and thus have
-                   the "true" hop count. Add the received TTL to the hop
-                   count to get the initial TTL. */
-                it->value = string_pool_sprintf("%hX", ttl + hss->distance);
+                   the "true" hop count. Add the number of hops between
+                   us and the target (hss->distance - 1) to the received
+                   TTL to get the initial TTL. */
+                it->value = string_pool_sprintf("%hX", ttl + hss->distance - 1);
             } else {
                 /* Guess the initial TTL value */
                 it->attribute = "TG";