Fixed -iR scanning too many targets

Fixed a discrepancy between the number of targets selected with -iR and
the number of hosts scanned. Because "up" hosts did not count towards
the number of hosts in a hostgroup, Nmap would run an extra Ping scan
phase on that number of new targets before scanning. Those extra targets
in the last hostgroup would result in output like "Nmap done: 1056 IP
addresses" when the user specified -iR 1000.

https://security.stackexchange.com/questions/138150/scans-more-ips-than-asked

CHANGELOG

@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Fixed a discrepancy between the number of targets selected with -iR and the
+  number of hosts scanned, resulting in output like "Nmap done: 1033 IP
+  addresses" when the user specified -iR 1000. [Daniel Miller]
+
 o New service probe and match line for DTLS (Datagram TLS, or TLS over UDP).
 
 o Improved some output filtering to remove or escape carriage returns ('\r')

nmap.cc

@@ -2031,7 +2031,10 @@ int nmap_main(int argc, char *argv[]) {
         }
         delete currenths;
         o.numhosts_scanned++;
-        continue;
+        if (!o.max_ips_to_scan || o.max_ips_to_scan > o.numhosts_scanned + Targets.size())
+          continue;
+        else
+          break;
       }
 
       if (o.spoofsource) {
@@ -2051,7 +2054,10 @@ int nmap_main(int argc, char *argv[]) {
         }
         delete currenths;
         o.numhosts_scanned++;
-        continue;
+        if (!o.max_ips_to_scan || o.max_ips_to_scan > o.numhosts_scanned + Targets.size())
+          continue;
+        else
+          break;
       }
 
       if (o.RawScan()) {