a bunch of small patches by Kris Katterjohn

docs/nmap.1

@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "09/02/2006" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "09/12/2006" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -91,7 +91,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
 \fI\%http://insecure.org/nmap/data/nmap.usage.txt\fR. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual. Some obscure options aren't even included here.
 .PP
 .nf
-Nmap 4.20ALPHA5 ( http://insecure.org/nmap/ )
+Nmap 4.20ALPHA6 ( http://Insecure.Org )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.
@@ -197,7 +197,7 @@ are the same as for the reference IP or hostname given. For example, 192.168.10.
 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary:
 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would do exactly the same thing. Given that the host scanme.nmap.org is at the IP address 205.217.153.62, the specification scanme.nmap.org/16 would scan the 65,536 IP addresses between 205.217.0.0 and 205.217.255.255. The smallest allowed value is /1, which scans half the Internet. The largest value is 32, which scans just the named host or IP address because all address bits are fixed.
 .PP
-CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they are commonly broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma separated list of numbers or ranges for each octet. For example, 192.168.0\-255.1\-254 will skip all addresses in the range that end in .0 and or .255. Ranges need not be limited to the final octects: the specifier 0\-255.0\-255.13.37 will perform an Internet\-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.
+CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they are commonly broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma separated list of numbers or ranges for each octet. For example, 192.168.0\-255.1\-254 will skip all addresses in the range that end in .0 and or .255. Ranges need not be limited to the final octets: the specifier 0\-255.0\-255.13.37 will perform an Internet\-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.
 .PP
 IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname. CIDR and octet ranges aren't supported for IPv6 because they are rarely useful.
 .PP

docs/nmap.usage.txt

@@ -1,4 +1,4 @@
-Nmap 4.20ALPHA6 ( http://Insecure.Org )
+Nmap 4.20ALPHA7 ( http://Insecure.Org )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.

nmap.cc

@@ -148,9 +148,6 @@ static int parse_scanflags(char *arg) {
     if (strcasestr(arg, "URG")) {
       flagval |= TH_URG;
     } 
-    if (strcasestr(arg, "SYN")) {
-      flagval |= TH_SYN;
-    }
   }
   return flagval;
 }
@@ -159,35 +156,29 @@ static int parse_scanflags(char *arg) {
 static int parse_bounce_argument(struct ftpinfo *ftp, char *url) {
   char *p = url,*q, *s;
 
-  if ((q = strrchr(url, '@'))) { /*we have username and/or pass */
-    *(q++) = '\0';
-    if ((s = strchr(q, ':')))
-      { /* has portno */
-	*(s++) = '\0';
-	strncpy(ftp->server_name, q, MAXHOSTNAMELEN);
-	ftp->port = atoi(s);
-      }
-    else  strncpy(ftp->server_name, q, MAXHOSTNAMELEN);
+  if ((q = strrchr(url, '@'))) { /* we have user and/or pass */
+    *q++ = '\0';
 
-    if ((s = strchr(p, ':'))) { /* User AND pass given */
-      *(s++) = '\0';
-      strncpy(ftp->user, p, 63);
+    if ((s = strchr(p, ':'))) { /* we have user AND pass */
+      *s++ = '\0';
       strncpy(ftp->pass, s, 255);
-    }
-    else { /* Username ONLY given */
+    } else { /* we ONLY have user */
       log_write(LOG_STDOUT, "Assuming %s is a username, and using the default password: %s\n",
 		p, ftp->pass);
+    }
+
     strncpy(ftp->user, p, 63);
+  } else {
+    q = url;
   }
-  }
-  else /* no username or password given */ 
-    if ((s = strchr(url, ':'))) { /* portno is given */
-      *(s++) = '\0';
-      strncpy(ftp->server_name, url, MAXHOSTNAMELEN);
+
+  /* q points to beginning of server name */
+  if ((s = strchr(q, ':'))) { /* we have portno */
+    *s++ = '\0';
     ftp->port = atoi(s);
   }
-    else  /* default case, no username, password, or portnumber */
-      strncpy(ftp->server_name, url, MAXHOSTNAMELEN);
+
+  strncpy(ftp->server_name, q, MAXHOSTNAMELEN);
 
   ftp->user[63] = ftp->pass[255] = ftp->server_name[MAXHOSTNAMELEN] = 0;
 
@@ -437,7 +428,6 @@ int nmap_main(int argc, char *argv[]) {
   int i, arg;
   long l;
   unsigned int targetno;
-  size_t j, argvlen;
   FILE *inputfd = NULL, *excludefd = NULL;
   char *host_spec = NULL, *exclude_spec = NULL;
   short fastscan=0, randomize=1;
@@ -501,7 +491,6 @@ int nmap_main(int argc, char *argv[]) {
       {"min_parallelism", required_argument, 0, 0},
       {"min-parallelism", required_argument, 0, 0},
       {"timing", required_argument, 0, 'T'},
-      {"timing", no_argument, 0, 0},
       {"max_rtt_timeout", required_argument, 0, 0},
       {"max-rtt-timeout", required_argument, 0, 0},
       {"min_rtt_timeout", required_argument, 0, 0},
@@ -626,6 +615,8 @@ int nmap_main(int argc, char *argv[]) {
 	if (l <= 0) fatal("Bogus --initial-rtt-timeout argument specified.  Must be positive");
         pre_init_rtt_timeout = l;
       } else if (strcmp(long_options[option_index].name, "excludefile") == 0) {
+	if (exclude_spec)
+	  fatal("--excludefile and --exclude options are mutually exclusive.");
         excludefd = fopen(optarg, "r");
         if (!excludefd) {
           fatal("Failed to open exclude file %s for reading", optarg);
@@ -699,7 +690,7 @@ int nmap_main(int argc, char *argv[]) {
       } else if (optcmp(long_options[option_index].name, "max-retries") == 0) {
         pre_max_retries = atoi(optarg);
         if (pre_max_retries < 0)
-          fatal("max-retransmissions must be positive");
+          fatal("max-retries must be positive");
       } else if (optcmp(long_options[option_index].name, "randomize-hosts") == 0
 		 || strcmp(long_options[option_index].name, "rH") == 0) {
 	o.randomize_hosts = 1;
@@ -856,7 +847,7 @@ int nmap_main(int argc, char *argv[]) {
       }
       break;
     case 'e': 
-      strncpy(o.device, optarg,63); o.device[63] = '\0'; break;
+      Strncpy(o.device, optarg, sizeof(o.device)); break;
     case 'F': fastscan++; break;
     case 'f': o.fragscan += 8; break;
     case 'g': 
@@ -1341,16 +1332,13 @@ int nmap_main(int argc, char *argv[]) {
 
   /* more fakeargv junk, BTW malloc'ing extra space in argv[0] doesn't work */
   if (quashargv) {
-    argvlen = strlen(argv[0]);
-    if (argvlen < strlen(FAKE_ARGV))
+    size_t fakeargvlen = strlen(FAKE_ARGV), argvlen = strlen(argv[0]);
+    if (argvlen < fakeargvlen)
       fatal("If you want me to fake your argv, you need to call the program with a longer name.  Try the full pathname, or rename it fyodorssuperdedouperportscanner");
-    strncpy(argv[0], FAKE_ARGV, strlen(FAKE_ARGV));
-    for(j = strlen(FAKE_ARGV); j < argvlen; j++) argv[0][j] = '\0';
-    for(i=1; i < argc; i++) {
-      argvlen = strlen(argv[i]);
-      for(j=0; j <= argvlen; j++)
-	argv[i][j] = '\0';
-    }
+    strncpy(argv[0], FAKE_ARGV, fakeargvlen);
+    memset(&argv[0][fakeargvlen], '\0', strlen(&argv[0][fakeargvlen]));
+    for(i=1; i < argc; i++)
+      memset(argv[i], '\0', strlen(argv[i]));
   }
 
 #if defined(HAVE_SIGNAL) && defined(SIGPIPE)

tcpip.cc

@@ -248,7 +248,7 @@ void PacketTrace::traceArp(pdirection pdir, const u8 *frame, u32 len,
 
   if (frame[21] == 1) /* arp REQUEST */ {
     inet_ntop(AF_INET, frame+38, who_has, sizeof(who_has));
-    inet_ntop(AF_INET, frame+28, tell, sizeof(who_has));
+    inet_ntop(AF_INET, frame+28, tell, sizeof(tell));
     snprintf(arpdesc, sizeof(arpdesc), "who-has %s tell %s", who_has, tell);
   } else { /* ARP REPLY */
     inet_ntop(AF_INET, frame+28, who_has, sizeof(who_has));
@@ -2771,6 +2771,8 @@ struct sys_route *getsysroutes(int *howmany) {
   struct sockaddr_in *sin;
   struct interface_info *ii;
 
+  if (!howmany) fatal("NULL howmany ptr passed to getsysroutes()");
+
   if (!routes) {
     routes = (struct sys_route *) safe_zalloc(route_capacity * sizeof(struct sys_route));
     ifaces = getinterfaces(&numifaces);
@@ -2888,7 +2890,7 @@ struct sys_route *getsysroutes(int *howmany) {
       qsort(routes, numroutes, sizeof(routes[0]), nmaskcmp);
     }
   }
-  if (!howmany) fatal("NULL howmany ptr passed to getsysroutes()");
+
   *howmany = numroutes;
   return routes;
 }

utils.h

@@ -273,15 +273,7 @@ int numberlist2array(char *expr, u16 *dest, int destsize, char **errorstr,
 char *mmapfile(char *fname, int *length, int openflags);
 
 #ifdef WIN32
-#define PROT_READ       0x1             /* page can be read */
-#define PROT_WRITE      0x2             /* page can be written */
-#define PROT_EXEC       0x4             /* page can be executed */
-#define PROT_NONE       0x0             /* page can not be accessed */
-
-#define MAP_SHARED      0x01            /* Share changes */
-
 int win32_munmap(char *filestr, int filelen);
-
 #endif /* WIN32 */
 
 #endif /* UTILS_H */