fixed overflow that made /1 netmask not work

CHANGELOG

@@ -1,13 +1,15 @@
 # Nmap Changelog ($Id$)
 
-o Fixed a crash problem related to non-portable varargs (vsnprintf)
-  usage. Reports of this crash came from Alan William Somers
-  (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
+UNRELEASED
 
 o Fixed the way tcp connect scan (-sT) respons to ICMP network
   unreachable responses (patch by Richard Moore
   (rich(a)westpoint.ltd.uk).
 
+o Fixed a crash problem related to non-portable varargs (vsnprintf)
+  usage. Reports of this crash came from Alan William Somers
+  (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
+
 o Update random host scan (-iR) to support the latest IANA-allocated
   ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
 
@@ -17,12 +19,6 @@ o Added some new RPC services to nmap-rpc thanks to a patch from
 o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
   Burr (simes(a)bpfh.net).
 
-o Changed from CVS to Subversion source control system (which
-  rocks!). Neither repository is public (I'm paranoid because both CVS
-  and SVN have had remotely exploitable security holes), so the main
-  change users will see is that "Id" tags in file headers use the SVN
-  format for version numbering and such.
-
 o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
   any TCP scans in which the initial probe packet has the ACK flag set.
   This would be the ACK, Xmas, Maimon, and Window scans.
@@ -32,7 +28,9 @@ o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
 
 o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
   (mueller(a)kde.org) to nmap-service-probes.  Also added AFS version
-  probe and matches from Lionel Cons (lionel.cons(a)cern.ch)
+  probe and matches from Lionel Cons (lionel.cons(a)cern.ch).  And
+  even more probes and matches from Martin Macok
+  (martin.macok(a)underground.cz)
 
 o Updated the Nmap version number, description, and similar fields
   that MS Visual Studio places in the binary.  This was done by editing
@@ -44,6 +42,18 @@ o Increased the buffer size allocated for fingerprints to prevent Nmap
   (mhatz(a)blackcat.com) for the report. [ Actually this was done in a
   previous version, but I forgot which one ]
 
+o Fixed an integer overflow that prevented Nmap from scanning
+  2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1).  Problem
+  noted by Justin Cranford (jcranford(a)n-able.com).  While /1 scans
+  are now possible, don't expect them to finish during your bathroom
+  break.  No matter how constipated you are.
+
+o Changed from CVS to Subversion source control system (which
+  rocks!). Neither repository is public (I'm paranoid because both CVS
+  and SVN have had remotely exploitable security holes), so the main
+  change users will see is that "Id" tags in file headers use the SVN
+  format for version numbering and such.
+
 Nmap 3.81
 
 o Nmap now ships with and installs (in the same directory as other

TargetGroup.cc

@@ -187,8 +187,8 @@ int TargetGroup::parse_expr(const char * const target_expr, int af) {
     target_net = strtok(hostexp, "/");
     s = strtok(NULL, "");    /* find the end of the token from hostexp */
     netmask  = ( s ) ? atoi(s) : 32;
-    if ((int) netmask < 0 || netmask > 32) {
-      fprintf(stderr, "Illegal netmask value (%d), must be /0 - /32 .  Assuming /32 (one host)\n", netmask);
+    if ((int) netmask <= 0 || netmask > 32) {
+      fprintf(stderr, "Illegal netmask value (%d), must be /1 - /32 .  Assuming /32 (one host)\n", netmask);
       netmask = 32;
     }
     for(i=0; *(hostexp + i); i++) 
@@ -369,7 +369,7 @@ int TargetGroup::get_next_host(struct sockaddr_storage *ss, size_t *sslen) {
   assert(sslen);
 
 
-  if (ipsleft <= 0)
+  if (ipsleft == 0)
     return -1;
   
   if (targets_type == IPV4_NETMASK) {
@@ -441,7 +441,6 @@ int TargetGroup::get_next_host(struct sockaddr_storage *ss, size_t *sslen) {
 #endif // HAVE_IPV6
   }
   ipsleft--;
-  assert(ipsleft >= 0);
   
   /* If we are resuming from a previous scan, we have already finished
      scans up to o.resume_ip.  */

TargetGroup.h

@@ -156,8 +156,10 @@ class TargetGroup {
   unsigned int current[4];
   u8 last[4];  
 
-  int ipsleft; /* Number of IPs left in this structure -- set to 0 if 
+/* Number of IPs left in this structure -- set to 0 if 
 		  the fields are not valid */
+  unsigned long ipsleft; 
+
 };
 
 class HostGroupState {