From f45f2f394eb2cd2cec1f4e6f021df2f59bc84d68 Mon Sep 17 00:00:00 2001 From: david Date: Tue, 28 Aug 2012 14:29:23 +0000 Subject: [PATCH] Ignore supposed replies with nonsense pingseq/tryno. If we get a reply that doesn't pass the simple comparison using the current value of USI->seqmask, then ignore it. Previously we emitted the message "Bad Sequence number from host %s.\n" and allowed the reply to match any probe. This only matters when using -g because otherwise we encode that information in the source port. I think we have addressed what was mentioned in the TODO comment in r15986. Allowing promiscuous matching, as was done before, causes the same spurious closed port issue that was addressed in r29686. --- scan_engine.cc | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/scan_engine.cc b/scan_engine.cc index 072444f6d..5083fb995 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -2523,15 +2523,10 @@ static bool tcp_probe_match(const UltraScanInfo *USI, const UltraProbe *probe, } if (!goodseq) { - /* TODO: I need to do some testing and find out how often this happens - and whether other techniques such as the response seq should be - used in those cases where it happens. Then I should make this just - a debugging > X statement. */ + /* Connection info matches, but there was a nonsensical tryno/pingseq. */ if (o.debugging) log_write(LOG_PLAIN, "Bad Sequence number from host %s.\n", inet_ntop_ez(src, sizeof(*src))); - /* I'll just assume it is a response to this (most recent) probe. */ - tryno = probe->tryno; - pingseq = probe->pingseq; + return false; } /* Make sure that trynum and pingseq match the values in the probe. */