From 439e99198591d558f4303a7c895f138120b5920c Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 27 May 2009 22:08:24 +0000
Subject: [PATCH] When handling ICMP ping probe replies, make sure we match up
 with the right type of probe (0 with 8, 14 with 13, 18 with 17). With the new
 default ping, I was scanning a network where an echo reply would mistakenly
 be interpreted as a response to a timestamp request, even though that host
 didn't respond to timestamp requests. That host would become the global ping
 host, and all its probes would be dropped, slowing the scan way down. A ping
 scan of a /24 took over 1,000 seconds when it should have taken about 10.

---
 CHANGELOG      | 4 ++++
 scan_engine.cc | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 74ce69d50..20e08c46a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,6 +8,10 @@ o There is a new default ping probe set: -PE -PS443 -PA80 -PP. In
   ping probes are now sent in order of effectiveness (-PE first) so
   that less likely probes may not have to be sent. [David/Fyodor]
 
+o Fixed a bug where an ICMP echo, timestamp, or address mask reply
+  could be matched up with the wrong ICMP probe if more than one ICMP
+  probe type was being sent (as with the new default ping). [David]
+
 o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
   searching scan results by date. [David] The error message was
       File "zenmapGUI\SearchGUI.pyo", line 816, in set_date
diff --git a/scan_engine.cc b/scan_engine.cc
index cb4e528e5..029531573 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -4190,7 +4190,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
       if (current_reason == ER_DESTUNREACH)
         current_reason = ping->code + ER_ICMPCODE_MOD;
 
-      /* Echo reply, Timestamp reply, or Address Mask Reply */
+      /* Echo reply, Timestamp reply, or Address Mask Reply. RFCs 792 and 950. */
       if (USI->ptech.rawicmpscan && (ping->type == 0 || ping->type == 14 || ping->type == 18)) {
         memset(&sin, 0, sizeof(sin));
         sin.sin_addr.s_addr = ip->ip_src.s_addr;
@@ -4226,6 +4226,11 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
           /* Ensure the connection info matches. */
           if (hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
             continue;
+          /* Don't match a timestamp request with an echo reply, for example. */
+          if ((ping->type == 0 && probe->pspec()->pd.icmp.type != 8) ||
+              (ping->type == 14 && probe->pspec()->pd.icmp.type != 13) ||
+              (ping->type == 18 && probe->pspec()->pd.icmp.type != 17))
+            continue;
 
           /* Sometimes we get false results when scanning localhost with
              -p- because we scan localhost with src port = dst port and