about to apply Doug DNS fix patch

2025-12-06 04:31:29 +00:00 · 2006-02-07 07:15:32 +00:00
parent 0d0a61b5b8
commit c9dd83e327
15 changed files with 75 additions and 33 deletions
--- a/38
+++ b/38
@@ -1,10 +1,42 @@
 # Nmap Changelog ($Id$); -*-text-*-
+o Fixed a bug that would cause bogus reverse-DNS resolution on
+  big-endian machines.  Thanks to Doug Hoyte, Seth Miller, Tony Doan,
+  and Andrew Lutomirsky for helping to debug and patch the problem.
+
+o Fixed an important memory leak in the raw ethernet sending system.
+  Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for
+  identifying the bug and sending a patch.
+
+o Fixed --system-dns option so that --system_dns works too.  Error
+  messages were changed to reflect the former (preferred) name.
+  Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter
+  VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for
+  reporting the problem.
+
+o Whenever Nmap sends packets with the SYN bit set (except for OS
+  detection), it now includes the maximum segment size (MSS) tcp
+  option with a value of 1460.  This makes it stand out less as almost
+  all hosts set at least this option.  Thanks to Juergen Schmidt
+  (ju(a)heisec.de) for the suggestion.
+
+o Minor changes to recognize DragonFly BSD in configure
+  scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de)
+  for sending the patch.
+
+o Fixed a minor bug in an error message starting with "eth_send of ARP
+  packet returned".  Thanks to J.W. Hoogervorst
+  (J.W.Hoogervorst(a)uva.nl) for finding this.
+
 4.00

 o Added the '?' command to the runtime interaction system.  It prints a
  list of accepted commands.  Thanks to Andrew Lutomirski
  (luto(a)myrealbox.com) for the patch.

+o See the announcement at
+  http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level
+  changes since 3.50.
+
 3.9999

 o Generated a new libpcre/configure to cope with changes in LibPCRE
@@ -706,7 +738,7 @@ o ultra_scan() now sets pseudo-random ACK values (rather than 0) for

 o Updated the Nmap version number, description, and similar fields
  that MS Visual Studio places in the binary.  This was done by editing
-  mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)
+  mswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com)

 o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
  systems) by applying a short patch by Joerg Sonnenberger which omits
@@ -825,7 +857,7 @@ o Nmap now prints a warning message on Windows if Winpcap is not found

 o Added an NTP probe and matches to the version detection database
  (nmap-service-probes) thanks to a submission from Martin
-  Macok (martin.macok@underground.cz).
+  Macok (martin.macok(a)underground.cz).

 o Applied several Nmap service detection database updates sent in by
  Martin Macok (martin.macok(a)underground.cz).
@@ -1141,7 +1173,7 @@ o Removed (addport) tags from XML output.  They used to provide open
  once scanning of a target is complete.

 o Configure script now detects GNU/k*BSD systems (whatever those are),
-  thanks to patch from Robert Millan (rmh@debian.org)
+  thanks to patch from Robert Millan (rmh(a)debian.org)

 o Fixed various crashes and assertion failures related to the new
  ultra_scan() system, that were found by Arturo "Buanzo" Busleiman
--- a/TargetGroup.cc
+++ b/TargetGroup.cc
@@ -232,7 +232,7 @@ int TargetGroup::parse_expr(const char * const target_expr, int af) {
 	else if (*r != '*' && *r != ',' && *r != '-' && !isdigit((int)*r)) 
 	  fatal("Invalid character in  host specification.  Note in particular that square brackets [] are no longer allowed.  They were redundant and can simply be removed.");
      }
-      if (i != 3) fatal("Target host specification is illegal -- not enough dots in IP");
+      if (i != 3) fatal("Invalid target host specification: %s", target_expr);
      
      for(i=0; i < 4; i++) {
 	j=0;
--- a/2
+++ b/2
@@ -3029,7 +3029,7 @@ _ACEOF
  # libpcap doesn't even LOOK at
                                     # the timeout you give it under Linux
    ;;
-  *-freebsd* | *-kfreebsd*-gnu)
+  *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
    cat >>confdefs.h <<\_ACEOF
 #define FREEBSD 1
 _ACEOF
--- a/configure.ac
+++ b/configure.ac
@@ -181,7 +181,7 @@ case "$host" in
    AC_DEFINE(PCAP_TIMEOUT_IGNORED)  # libpcap doesn't even LOOK at
                                     # the timeout you give it under Linux
    ;;
-  *-freebsd* | *-kfreebsd*-gnu)
+  *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
    AC_DEFINE(FREEBSD)
    ;;
  *-bsdi*)
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "01/29/2006" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "01/31/2006" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
--- a/idle_scan.cc
+++ b/idle_scan.cc
@@ -191,7 +191,7 @@ int ipid_proxy_probe(struct idle_proxy_info *proxy, int *probes_sent,
 		 proxy->probe_port,
 		 seq_base + (packet_send_count++ * 500) + 1, ack, 
 		 TH_SYN|TH_ACK, 0, 
-		 NULL, 0, NULL, 0);
+		 (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0);
    sent++;
    tries++;

@@ -417,8 +417,8 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
    send_tcp_raw(proxy->rawsd, proxy->ethptr, proxy->host.v4sourceip(), 
 		 proxy->host.v4hostip(), o.ttl, 
 		 o.magic_port + probes_sent + 1, proxy->probe_port, 
-		 sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, 
-		 ack, NULL, 0, NULL, 0);
+		 sequence_base + probes_sent + 1, ack, TH_SYN|TH_ACK, 
+		 0, (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0);
    gettimeofday(&probe_send_times[probes_sent], NULL);
    probes_sent++;

@@ -525,7 +525,7 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
 		   proxy->host.v4hostip(), 
 		   o.ttl, o.magic_port, proxy->probe_port, 
 		   sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, 
-		   ack, NULL, 0, NULL, 0);
+		   ack, (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0);

    }

@@ -679,7 +679,7 @@ int idlescan_countopen2(struct idle_proxy_info *proxy,
    send_tcp_raw(proxy->rawsd, eth.ethsd? &eth : NULL, proxy->host.v4hostip(), 
 		 target->v4hostip(),
 		 o.ttl, proxy->probe_port, ports[pr0be], seq, 0, TH_SYN, 0,
-		 NULL, 0, o.extra_payload, o.extra_payload_length);
+		 (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, o.extra_payload_length);
  }
  gettimeofday(&end, NULL);

--- a/libdnet-stripped/configure
+++ b/libdnet-stripped/configure
@@ -22707,7 +22707,7 @@ esac
 elif test "$ac_cv_header_net_if_tun_h" = yes ; then
 	if test "$ac_cv_header_stropts_h" = yes ; then
           case "$host_os" in
-           *kfreebsd*)
+           *kfreebsd* | *dragonfly*)
               case $LIBOBJS in
    "tun-bsd.$ac_objext"   | \
  *" tun-bsd.$ac_objext"   | \
--- a/libdnet-stripped/configure.in
+++ b/libdnet-stripped/configure.in
@@ -279,7 +279,7 @@ if test "$ac_cv_header_linux_if_tun_h" = yes ; then
 elif test "$ac_cv_header_net_if_tun_h" = yes ; then
 	if test "$ac_cv_header_stropts_h" = yes ; then
           case "$host_os" in
-           *kfreebsd*)
+           *kfreebsd* | *dragonfly*)
               AC_LIBOBJ([tun-bsd]);;
           *)
               AC_LIBOBJ([tun-solaris]);;
--- a/nmap.cc
+++ b/nmap.cc
@@ -480,7 +480,7 @@ int nmap_main(int argc, char *argv[]) {
 	o.setXSLStyleSheet(optarg);
      } else if (optcmp(long_options[option_index].name, "no-stylesheet") == 0) {
 	o.setXSLStyleSheet(NULL);
-      } else if (strcmp(long_options[option_index].name, "system-dns") == 0) {
+      } else if (optcmp(long_options[option_index].name, "system-dns") == 0) {
        o.mass_dns = false;
      } else if (optcmp(long_options[option_index].name, "dns-servers") == 0) {
        o.dns_servers = strdup(optarg);
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -102,7 +102,7 @@
 // on large number of IP addresses. Nmap supports 2 different
 // methods of accomplishing this:
 //
-// System Resolver (specified using --system_dns):
+// System Resolver (specified using --system-dns):
 // Performs sequential getnameinfo() calls on all the IPs.
 // As reliable as your system resolver, almost guaranteed
 // to be portable, but intolerably slow for scans of hundreds
@@ -385,7 +385,7 @@ u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) {
  u32 ip=0;
  int i, j;

-  for (i=3; i>=0; i--) {
+  for (i=0; i<=3; i++) {
    if (maxlen <= 0) return 0;

    if (buf[0] < 1 || buf[0] > 3) return 0;
@@ -402,7 +402,7 @@ u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) {
  if (maxlen < 14) return 0; // length of the following string
  if (strcasecmp((char *) buf, "\x07in-addr\004arpa\0")) return 0;

-  return ip;
+  return ntohl(ip);
 }


@@ -620,7 +620,7 @@ void put_dns_packet_on_wire(request *req) {
  u32 ip;
  struct timeval now, timeout;

-  ip = (u32) req->targ->v4host().s_addr;
+  ip = (u32) ntohl(req->targ->v4host().s_addr);

  packet[0] = (req->id >> 8) & 0xFF;
  packet[1] = req->id & 0xFF;
@@ -629,10 +629,10 @@ void put_dns_packet_on_wire(request *req) {
  memcpy(packet+plen, "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00", 10);
  plen += 10;

-  plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF);
-  plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF);
-  plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF);
  plen += add_integer_to_dns_packet(packet+plen, ip & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF);

  memcpy(packet+plen, "\x07in-addr\004arpa\x00\x00\x0c\x00\x01", 18);
  plen += 18;
@@ -683,7 +683,7 @@ int deal_with_timedout_reads() {
      if (tp > 0 && tp < min_timeout) min_timeout = tp;

      if (tp <= 0) {
-        tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE);;
+        tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE);
        check_capacities(tpserv);
        tpserv->in_process.erase(reqI);
        tpserv->reqs_on_wire--;
@@ -874,7 +874,7 @@ void parse_resolvdotconf() {

  fp = fopen("/etc/resolv.conf", "r");
  if (fp == NULL) {
-    fatal("Unable to open /etc/resolv.conf. Try using --system_dns or specify valid servers with --dns_servers");
+    fatal("Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers");
  }

  while (fgets(buf, sizeof(buf), fp)) {
@@ -903,7 +903,7 @@ void parse_resolvdotconf() {
  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                   "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters",
                    0, KEY_READ, &hKey) != ERROR_SUCCESS)
-    fatal("Error opening registry to read DNS servers. Try using --system_dns or specify valid servers with --dns_servers");
+    fatal("Error opening registry to read DNS servers. Try using --system-dns or specify valid servers with --dns-servers");

  sz = sizeof(buf);
  if (RegQueryValueEx(hKey, "NameServer", NULL, NULL, (LPBYTE) buf, (LPDWORD) &sz) == ERROR_SUCCESS)
@@ -1055,7 +1055,7 @@ void nmap_mass_rdns_core(Target **targets, int num_targets) {
    else parse_resolvdotconf();

    if (servs.size() == 0)
-      fatal("Unable to determine any DNS servers. Try using --system_dns or specify valid servers with --dns_servers");
+      fatal("Unable to determine any DNS servers. Try using --system-dns or specify valid servers with --dns_servers");
  }


@@ -1156,7 +1156,7 @@ void nmap_mass_rdns_core(Target **targets, int num_targets) {
  nsp_delete(dnspool);

  if (cname_reqs.size() && o.debugging)
-    log_write(LOG_STDOUT, "Performing system_dns for %d domain names that use CNAMEs\n", (int) cname_reqs.size());
+    log_write(LOG_STDOUT, "Performing system-dns for %d domain names that use CNAMEs\n", (int) cname_reqs.size());

  SPM = new ScanProgressMeter("System CNAME DNS resolution");

--- a/nmapfe/configure
+++ b/nmapfe/configure
@@ -2715,7 +2715,7 @@ _ACEOF
  # libpcap doesn't even LOOK at
                                     # the timeout you give it under Linux
    ;;
-  *-freebsd* | *-kfreebsd*-gnu)
+  *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
    cat >>confdefs.h <<\_ACEOF
 #define FREEBSD 1
 _ACEOF
--- a/nmapfe/configure.ac
+++ b/nmapfe/configure.ac
@@ -80,7 +80,7 @@ case "$host" in
    AC_DEFINE(PCAP_TIMEOUT_IGNORED)  # libpcap doesn't even LOOK at
                                     # the timeout you give it under Linux
    ;;
-  *-freebsd* | *-kfreebsd*-gnu)
+  *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
    AC_DEFINE(FREEBSD)
    ;;
  *-bsdi*)
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -2060,7 +2060,8 @@ static UltraProbe *sendArpScanProbe(UltraScanInfo *USI, HostScanStats *hss,
  gettimeofday(&USI->now, NULL);
  hss->lastprobe_sent = probe->sent = USI->now;
  if ((rc = eth_send(USI->ethsd, frame, sizeof(frame))) != sizeof(frame)) {
-    error("WARNING:  eth_send of ARP packet returned %u rather than expected %d\n", rc, (int) sizeof(frame));
+    int err = socket_errno();
+    error("WARNING:  eth_send of ARP packet returned %i rather than expected %d (errno=%i: %s)\n", rc, (int) sizeof(frame), err, strerror(err));
  }
  PacketTrace::traceArp(PacketTrace::SENT, (u8 *) frame, sizeof(frame), &USI->now);
  probe->tryno = tryno;
@@ -2091,6 +2092,8 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
  u16 ipid = get_random_u16();
  struct eth_nfo eth;
  struct eth_nfo *ethptr = NULL;
+  u8 *tcpops = NULL;
+  u16 tcpopslen = 0;

  if (USI->ethsd) {
    memcpy(eth.srcmac, hss->target->SrcMACAddress(), 6);
@@ -2117,10 +2120,15 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
    if (pspec->pd.tcp.flags & TH_ACK)
 	  ack = rand();

+    if (pspec->pd.tcp.flags & TH_SYN) {
+      tcpops = (u8 *) "\x02\x04\x05\xb4";
+      tcpopslen = 4;
+    }
+
    for(decoy = 0; decoy < o.numdecoys; decoy++) {
      packet = build_tcp_raw(&o.decoys[decoy], hss->target->v4hostip(), o.ttl, 
 			     ipid, sport, pspec->pd.tcp.dport, seq, ack, 
-			     pspec->pd.tcp.flags, 0, NULL, 0, 
+			     pspec->pd.tcp.flags, 0, tcpops, tcpopslen,
 			     o.extra_payload, o.extra_payload_length, 
 			     &packetlen);
      if (decoy == o.decoyturn) {
--- a/targets.cc
+++ b/targets.cc
@@ -895,7 +895,7 @@ else {
 o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;

 if (pingtype & PINGTYPE_TCP_USE_SYN) {   
-   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, NULL, 0, o.extra_payload, 
+   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, 
 			o.extra_payload_length);
 } else {
   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, 
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -936,7 +936,7 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl
  struct ip *ip = (struct ip *) packet;
  struct tcphdr *tcp = NULL;
  udphdr_bsd *udp;
-  u8 *eth_frame;
+  u8 *eth_frame = NULL;
  eth_t *ethsd;
  bool ethsd_opened = false;
  assert(packet);
@@ -960,6 +960,8 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl
    PacketTrace::trace(PacketTrace::SENT, packet, packetlen); 
    if (ethsd_opened)
      eth_close(ethsd);
+    free(eth_frame);
+    eth_frame = NULL;
    return res;
  }