If we get a reply that doesn't pass the simple comparison using the
current value of USI->seqmask, then ignore it. Previously we emitted the
message "Bad Sequence number from host %s.\n" and allowed the reply to
match any probe. This only matters when using -g because otherwise we
encode that information in the source port. I think we have addressed
what was mentioned in the TODO comment in r15986. Allowing promiscuous
matching, as was done before, causes the same spurious closed port issue
that was addressed in r29686.
Per-probe tryno and pingseq are encoded as offset from a the base source
port number. Previously this was fixed for all calls of ultra_scan,
which means that unrelated probes in different calls would use the same
source port number if they had the same tryno and pingseq. This could
cause erroneous results if a reply to a probe from a previous call was
delated and was received in the current call and interpreted as a legit
response.
This has no effect when o.magic_port_set is true (i.e., when -g or
--source-port is used).
http://seclists.org/nmap-dev/2012/q1/62http://seclists.org/nmap-dev/2012/q3/589
This was a sockaddr_storage, which is 128 bytes. This is a lot for a
structure that is part of Port. It is now a union of sockaddr_in and
sockaddr_in6, which is 28 bytes. A new set_ip_addr method sets the union
from a sockaddr_storage, where plain assignment was used before.
The sockaddr_storage was introduced in r23778, the first big IPv6 merge.
Setting --min-parallelism without also setting --max-parallelism would
force the max parallelism to the same value. So, for example,
--min-parallelism=1 would also limit the max parallelism to 1. This
patch, based on one by Chris Woodbury, allows the max parallelism to
rise above this minimum, up to the maximum defined by each scan phase.
We count a drop for congestion control purposes if we receive a response
to a retransmitted probe, because that means that the reply to the
original probe was dropped. However, we weren't taking into account that
we are at the same time receiving a positive response, and should
increase the window accordingly. There are now three things that can
happen:
Response to first probe: ACK
Response to retransmission: DROP, then ACK
Probe timeout: DROP
The comment in struct_ip.h explains the reasoning for this. The AIX C library
uses #defines that change the names of members of struct ip, and conflict with
some existing code. (Notably struct ip_hdr in libdnet and IPv4Header::h in
libnetutil.) We can still use the AIX files if we include <netinet/ip.h> after
this other code has been preprocessed. That's hard to enforce when
<netinet/ip.h> is included from another header file; this new file allows
including it always late, and only where needed.
Heretofore we have always extracted teh destination address directly
from the packet contents. But the raw packet bytes do not contain enough
information in one case: IPv6 link-local addresses. For those we really
need the scope ID, and for that we must pass this information all the
way down.
Before this, I got "no route to host" on OS link-local addresses. I
think that it was working on Linux only on accident, by the OS picking a
default interface or something.
A RST/ACK can only be matched to a SYN or FIN. A bare RST cannot
be matched to a SYN or FIN.
Matthew Stickney and Joe McEachern found cases where this caused replies
to be missed (specifically, RST/ACK in reponse to a NULL probe) and also
found standards justification for hosts returning RST/ACK in such a
situation.
There is a special test that uses IP IDs to check if a presumed reply
from localhost is actually one of our own probes. However the test
didn't bail out ofter finding one of these matches, so a retransmission
(with a different IP ID) could match and look like a protocol reply from
localhost.
We should have the multiprotocol version be the main version, with
IPv4-only code being a noted exception. Also these functions are almost
the same so one can call the other.
returning floating-point seconds. Everywhere o.TimeSinceStartMS was
called, the return value was being divided by 1000.0, which had the same
effect but would overflow when the difference exceeded about 25 days
(2^31 milliseconds). This patch is by Daniel Miller.
