PortList::forgetPort in verbose mode tries to print details on a Port
after it has been deleted. This function is only called in idle and ftp
bounce scans. Reported by Mak Kolybabi:
http://seclists.org/nmap-dev/2015/q1/129
for file in `grep "* including the terms and conditions of this license text as well. \*" * -r --files-with-match `; do sed "s/\* including the terms and conditions of this license text as well. \*/* including the terms and conditions of this license text as well. */g" -i $file; done
Contrary to the doc comment, this function could never return false but
only cause a fatal error.
Resolves these Parfait reports
(http://seclists.org/nmap-dev/2012/q4/412).
Error: Null pointer dereference (CWE 476)
Read from null pointer 'port'
at line 344 of components/nmap/build/amd64/portlist.cc in function 'PortList::setServiceProbeResults(unsigned short, int, serviceprobestate, char const*, service_tunnel_type, char const*, char const*, char const*, char const*, char const*, char const*, std::vector<char const*, std::allocator<char const*> > const*, char const*)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called at line 343.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
Error: Null pointer dereference (CWE 476)
Write to null pointer 'current'
at line 520 of components/nmap/build/amd64/portlist.cc in function 'PortList::setPortState(unsigned short, unsigned char, int)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called at line 518.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
Error: Null pointer dereference (CWE 476)
Write to null pointer 'answer'
at line 880 of components/nmap/build/amd64/portlist.cc in function 'PortList::setStateReason(unsigned short, unsigned char, unsigned short, unsigned char, sockaddr_storage const*)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called at line 877.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
at line 885 of components/nmap/build/amd64/portlist.cc in function 'PortList::setStateReason(unsigned short, unsigned char, unsigned short, unsigned char, sockaddr_storage const*)'.
Function 'PortList::createPort(unsigned short, unsigned char)' may return constant 'NULL' at line 671, called at line 877.
Null pointer introduced at line 671 in function 'PortList::createPort(unsigned short, unsigned char)'.
Importing the whole std namespace caused a problem with Clang and the
punning of bind and std::bind.
http://seclists.org/nmap-dev/2012/q4/58
The Web's opinion of "using namespace std" also seems to be more against
than for.
Scripts may now return a key–value table, or such a table in addition to
a string. The table will be automatically formatted for normal output
and will appear as a hierarchy of elements in XML output.
Some history and discussion of this development can be found at
https://secwiki.org/w/Nmap/Structured_Script_Output.
This is a merge of r29484:29569 from /nmap-exp/david/xml-output.
This was a sockaddr_storage, which is 128 bytes. This is a lot for a
structure that is part of Port. It is now a union of sockaddr_in and
sockaddr_in6, which is 28 bytes. A new set_ip_addr method sets the union
from a sockaddr_storage, where plain assignment was used before.
The sockaddr_storage was introduced in r23778, the first big IPv6 merge.
CPEs are available at host.os (for the ones from OS fingerprinting) and
port.version.cpe (for the version detection ones).
This patch also fix a memory leak that David noticed in
PortList::setServiceProbeResults().
PROBESTATE_EXCLUDED, and PROBESTATE_INCOMPLETE to 3, not 2. We're
looking up the service name in the same way as when no service detection
is done, so the confidence should be the same.
I think you can make a case that the confidence should be lower if
service detection is done but doesn't find a match. But this matches the
behavior of Nmap 4.76, using a confidence of 3 for
PROBESTATE_FINISHED_NOMATCH.
match, not only for PROBESTATE_EXCLUDED. Otherwise a serviceDeductions
gets allocated but its name doesn't get set. Later, when a
serviceDeductions is present with no name, XML output doesn't print the
service element.
port is unknown, instead of -1. This makes it a better fit with the
other accessor functions. For those callers that need to know whether a
port is in the default state or not, add PortList::portIsDefault.
Having getPortState return -1 for ports in the default state would cause
the slightly wrong
Discovered unknown port 88/udp on 192.168.0.190 is actually open
to be printed instead of
Discovered open|filtered port 88/udp on 192.168.0.190 is actually open
scan response, instead of checking for a current state of
PORT_OPENFILTERED. The code calls getPortState, but the port may not
have been assigned a state, again because of the new Port allocation
architecture, so the function returns -1.
It would make sense to have getPortState return the default port state
if a Port has not been allocated, but there are two other places it is
used where the code relies on it returning -1 to indicate that a port
has not received a state yet.
called. Formerly the only way to create a port was to call
PortList::addPort, which also set the state. Now ports are allocated on
demand whenever anything about a port is set. If we don't set the state
and reason, they're "unknown" and "unknown-reason". Because of the
special handling of PORT_UNKNOWN in the output table, this could lead to
an assertion failure reported by Jon Kibler.
changes. The first is that Port objects don't allocate memory for
service and RPC results unless that information is set. This reduces the
size of a bare Port from 92 to 40 bytes on my machine. The second change
is that PortList now has the notion of a "default port state," which is
the state of any ports that didn't receive a response. These ports don't
need an allocated Port object, which saves a lot of memory in scans
where most ports didn't get a response.
