in getinterfaces. This was the cause of an overlapping memcpy reported
at http://seclists.org/nmap-dev/2009/q2/0713.html.
In the code, sin is a pointer that holds the address of the IP address
configured for an interface. It is copied into a tmpifr.ifr_addr before
each ioctl, perhaps because that is required on some platforms even
though on Linux only ifr_name is needed by the ioctl. When the ioctl
returns, it overwrites whatever was in ifr_addr because that member is
in a union, so sin is kept in order to restore the address again before
the next ioctl.
In the code that handles SIOCGIFNETMASK, sin was mistakenly used as a
temporary pointer and redirected to &tmpifr.ifr_addr. This caused all
future memcpys before ioctl to copy tmpifr.ifr_addr to itself, rather
than copying in the IP address of the interface.
The throwaway sin assignment was not even used; the code that used it
was modified in r2751. So now we just keep sin pointing where it should
the whole time.
another thing otherwise in a big if/else. Now getinterfaces just does
caching and getinterfaces_dnet or getinterfaces_siocgifconf does the
actual interface lookup.
Often two (or more) scripts using the same library would
overwrite the globals each was using. This would result
in (at best) an error or (at worst) a deadlock.
The patch changes the global accesses to local.
sending. In send_ip_packet, unswap them after sending so that the buffer is
returned unmodified. Do the packet trace after unswapping the values so that
the correct length and fragmentation offset are reported. On Mac OS X, an
ip_len of 60 (0x003c) was being reported as 15360 (0x3c00) and when ip_off had
the DF flag set (0x4000), it looked like a fragmentation offset of 512
(0x0040 * 8).
which have been merged to the upstream libdnet repository and thus
do not have to be re-applied when the libdnet version included with
Nmap is updated in the future.
GC for collecting socket locks [1].
If a thread does not close any sockets it creates, and then
returns (or errors), the thread and sockets will keep their "lock" until
garbage collected. This would be the same situation as before in this
particular case (reliance on GC).
To fix this, I have changed the socket unlock system to close all the sockets
of a thread not yielded and remove its "lock".
[1] http://seclists.org/nmap-dev/2009/q2/0624.html
