From 43f5db6ce4bd37d5eb5f077c72a624bc28dcb9b4 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 28 Mar 2013 21:11:45 +0000
Subject: [PATCH] Handle ICMP Time Exceeded messages in scan engine

DiabloHorn on #nmap noticed that Nmap was ignoring ICMP Time Exceeded
messages while trying to map firewall rules using --ttl.
get_pcap_result() was handling ICMP type 3 (Destination Unreachable),
but not type 11 (Time Exceeded). Now ports that elicit this response
will be marked filtered (to be consistent with existing Connect scan
behavior) and will report time-exceeded from (IP) for the reason.

This was not a common issue, since host discovery already accounted for
it. Port scans would only be affected when skipping host discovery.
---
 scan_engine.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scan_engine.cc b/scan_engine.cc
index bda44265b..74f869ac2 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -4524,7 +4524,7 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 
       if (datalen < 8)
         continue;
-      if (icmp->icmp_type != 3)
+      if (icmp->icmp_type != 3 && icmp->icmp_type != 11)
         continue;
 
       encaps_len = datalen - 8;
@@ -4637,6 +4637,11 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
             break;
           goodone = true;
         }
+        else if (icmp->icmp_type == 11) { /* ICMP Time Exceeded */
+          newstate = PORT_FILTERED;
+          current_reason = icmp_to_reason(hdr.proto, icmp->icmp_type, icmp->icmp_code);
+          goodone = true;
+        }
       }
     } else if (hdr.proto == IPPROTO_ICMPV6) {
       const void *encaps_data;