Allow broadcast-dhcp-discover to receive more than 1 response. Fixes #1908

scripts/broadcast-dhcp-discover.nse

@@ -32,24 +32,29 @@ The script needs to be run as a privileged user, typically root.
 --
 -- @output
 -- | broadcast-dhcp-discover:
--- |   IP Offered: 192.168.1.114
+-- |   Response 1 of 1:
--- |   DHCP Message Type: DHCPOFFER
+-- |     Interface: wlp1s0
--- |   Server Identifier: 192.168.1.1
+-- |     IP Offered: 192.168.1.114
--- |   IP Address Lease Time: 1 day, 0:00:00
+-- |     DHCP Message Type: DHCPOFFER
--- |   Subnet Mask: 255.255.255.0
+-- |     Server Identifier: 192.168.1.1
--- |   Router: 192.168.1.1
+-- |     IP Address Lease Time: 1 day, 0:00:00
--- |   Domain Name Server: 192.168.1.1
+-- |     Subnet Mask: 255.255.255.0
--- |_  Domain Name: localdomain
+-- |     Router: 192.168.1.1
+-- |     Domain Name Server: 192.168.1.1
+-- |_    Domain Name: localdomain
 --
 -- @xmloutput
--- <elem key="IP Offered">192.168.1.114</elem>
+-- <table key="Response 1 of 1:">
--- <elem key="DHCP Message Type">DHCPOFFER</elem>
+--   <elem key="Interface">wlp1s0</elem>
--- <elem key="Server Identifier">192.168.1.1</elem>
+--   <elem key="IP Offered">192.168.1.114</elem>
--- <elem key="IP Address Lease Time">1 day, 0:00:00</elem>
+--   <elem key="DHCP Message Type">DHCPOFFER</elem>
--- <elem key="Subnet Mask">255.255.255.0</elem>
+--   <elem key="Server Identifier">192.168.1.1</elem>
--- <elem key="Router">192.168.1.1</elem>
+--   <elem key="IP Address Lease Time">1 day, 0:00:00</elem>
--- <elem key="Domain Name Server">192.168.1.1</elem>
+--   <elem key="Subnet Mask">255.255.255.0</elem>
--- <elem key="Domain Name">localdomain</elem>
+--   <elem key="Router">192.168.1.1</elem>
+--   <elem key="Domain Name Server">192.168.1.1</elem>
+--   <elem key="Domain Name">localdomain</elem>
+-- </table>
 --
 -- @args broadcast-dhcp-discover.mac  Set to <code>random</code> or a specific
 --                client MAC address in the DHCP request. "DE:AD:C0:DE:CA:FE"
@@ -110,20 +115,15 @@ end
 -- @param timeout number of ms to wait for a response
 -- @param xid the DHCP transaction id
 -- @param result a table to which the result is written
-local function dhcp_listener(sock, timeout, xid, result)
+local function dhcp_listener(sock, iface, timeout, xid, result)
   local condvar = nmap.condvar(result)
 
-  sock:set_timeout(100)
 
   local start_time = nmap.clock_ms()
-  while( nmap.clock_ms() - start_time < timeout ) do
+  local now = start_time
+  while( now - start_time < timeout ) do
+    sock:set_timeout(timeout - (now - start_time))
     local status, _, _, data = sock:pcap_receive()
-    -- abort, once another thread has picked up our response
-    if ( #result > 0 ) then
-      sock:close()
-      condvar "signal"
-      return
-    end
 
     if ( status ) then
       local p = packet.Packet:new( data, #data )
@@ -131,13 +131,12 @@ local function dhcp_listener(sock, timeout, xid, result)
         local data = data:sub(p.udp_offset + 9)
         local status, response = dhcp.dhcp_parse(data, xid)
         if ( status ) then
+          response.iface = iface
           table.insert( result, response )
-          sock:close()
-          condvar "signal"
-          return
         end
       end
     end
+    now = nmap.clock_ms()
   end
   sock:close()
   condvar "signal"
@@ -195,7 +194,7 @@ action = function()
     local sock, co
     sock = nmap.new_socket()
     sock:pcap_open(iface, 1500, false, "ip && udp && port 68")
-    co = stdnse.new_thread( dhcp_listener, sock, timeout, transaction_id, result )
+    co = stdnse.new_thread( dhcp_listener, sock, iface, timeout, transaction_id, result )
     threads[co] = true
   end
 
@@ -223,6 +222,7 @@ action = function()
   for i, r in ipairs(result) do
     local result_table = stdnse.output_table()
 
+    result_table["Interface"] = r.iface
     result_table["IP Offered"] = r.yiaddr_str
     for _, v in ipairs(r.options) do
       if(type(v.value) == 'table') then