From 3b500dc8dffd0a548342c6abd8bd4117904fcc94 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 25 Aug 2011 05:35:03 +0000
Subject: [PATCH] Remove these condition on probe matching:

	A RST/ACK can only be matched to a SYN or FIN. A bare RST cannot
	be matched to a SYN or FIN.

Matthew Stickney and Joe McEachern found cases where this caused replies
to be missed (specifically, RST/ACK in reponse to a NULL probe) and also
found standards justification for hosts returning RST/ACK in such a
situation.
---
 CHANGELOG      |  4 ++++
 scan_engine.cc | 11 +----------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f8bd9b164..4a5e40756 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Removed some restrictions on probe matching that, for example,
+  prevented a RST/ACK reply from being recognized in a NULL scan. This
+  was found and fixed by Matthew Stickney and Joe McEachern.
+
 o Rearranged some characters classes in service matches to avoid any
   that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
   discovered this error caused by one of the match lines:
diff --git a/scan_engine.cc b/scan_engine.cc
index 58825965d..30fddd8a6 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -2535,21 +2535,12 @@ static bool tcp_probe_match(const UltraScanInfo *USI, const UltraProbe *probe,
   /* Make sure we are matching up the right kind of probe, otherwise just the
      ports, address, tryno, and pingseq can be ambiguous, between a SYN and an
      ACK probe during a -PS80 -PA80 scan for example. A SYN/ACK can only be
-     matched to a SYN probe. A RST/ACK can only be matched to a SYN or FIN. A
-     bare RST cannot be matched to a SYN or FIN. */
+     matched to a SYN probe. */
   probedata = &probe->pspec()->pd.tcp;
   if ((tcp->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK)
       && !(probedata->flags & TH_SYN)) {
     return false;
   }
-  if ((tcp->th_flags & (TH_RST | TH_ACK)) == (TH_RST | TH_ACK)
-      && !(probedata->flags & (TH_SYN | TH_FIN))) {
-    return false;
-  }
-  if ((tcp->th_flags & (TH_RST | TH_ACK)) == TH_RST
-      && (probedata->flags & (TH_SYN | TH_FIN))) {
-    return false;
-  }
 
   /* Sometimes we get false results when scanning localhost with -p- because we
      scan localhost with src port = dst port and see our outgoing packet and