From owner-freebsd-ports-bugs@FreeBSD.ORG  Thu Mar  9 10:40:05 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7948016A425
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu,  9 Mar 2006 10:40:05 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EA22143D45;
	Thu,  9 Mar 2006 10:40:04 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k29Ae4he013155;
	Thu, 9 Mar 2006 10:40:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k29Ae455013148;
	Thu, 9 Mar 2006 10:40:04 GMT (envelope-from gnats)
Resent-Date: Thu, 9 Mar 2006 10:40:04 GMT
Resent-Message-Id: <200603091040.k29Ae455013148@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: Alan Amesbury <amesbury@umn.edu>
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Daniel Roethlisberger <daniel@roe.ch>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3A02016A420
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  9 Mar 2006 10:31:33 +0000 (GMT)
	(envelope-from roe@dragon.roe.ch)
Received: from dragon.roe.ch (dragon.roe.ch [212.53.102.185])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5F8FE43D48
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  9 Mar 2006 10:31:32 +0000 (GMT)
	(envelope-from roe@dragon.roe.ch)
Received: from aphrodite.roe ([192.168.1.13])
	by dragon.roe.ch (envelope-from <roe@dragon.roe.ch>)
	with ESMTP (TLSv1:AES256-SHA:256) id 1FHIQc-0001Fo-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 09 Mar 2006 11:31:30 +0100
Received: from aphrodite.roe (localhost [127.0.0.1])
	by aphrodite.roe (8.13.4/8.13.3) with ESMTP id k29AOQEf016851
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 9 Mar 2006 11:24:26 +0100 (CET)
	(envelope-from roe@localhost.my.domain)
Received: (from roe@localhost)
	by aphrodite.roe (8.13.4/8.13.3/Submit) id k29AMpxh016850;
	Thu, 9 Mar 2006 11:22:51 +0100 (CET) (envelope-from roe)
Message-Id: <200603091022.k29AMpxh016850@aphrodite.roe>
Date: Thu, 9 Mar 2006 11:22:51 +0100 (CET)
From: Daniel Roethlisberger <daniel@roe.ch>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: Alan Amesbury <amesbury@umn.edu>
Cc: Alan Amesbury <amesbury@umn.edu>, daniel@roe.ch
Subject: ports/94264: [maintainer] security/nmap: fix infinite loop in scan
	engine
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel Roethlisberger <daniel@roe.ch>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2006 10:40:05 -0000


>Number:         94264
>Category:       ports
>Synopsis:       [maintainer] security/nmap: fix infinite loop in scan engine
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 09 10:40:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Roethlisberger
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD aphrodite.roe 5.4-STABLE FreeBSD 5.4-STABLE #7: Mon Oct 10 18:02:44 CEST 2005 root@aphrodite.roe:/usr/obj/usr/src/sys/APHRODITE i386
>Description:
Add: files/patch-scan_engine.cc

- Add patch resolving an infinite loop in the scan engine
- Bump PORTREVISION

Requested by:   Alan Amesbury <amesbury@umn.edu>
>How-To-Repeat:
>Fix:
--- nmap-4.01-loopfix.diff begins here ---
diff -ruN nmap.orig/Makefile nmap/Makefile
--- nmap.orig/Makefile	Sat Feb 18 12:20:31 2006
+++ nmap/Makefile	Thu Mar  9 10:59:18 2006
@@ -7,6 +7,7 @@
 
 PORTNAME?=	nmap
 PORTVERSION=	${DISTVERSION:L:C/([a-z])[a-z]+/\1/g:C/[^a-z0-9+]+/./g}
+PORTREVISION=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://download.insecure.org/nmap/dist/ \
 		http://www.mirrors.wiretapped.net/security/network-mapping/nmap/ \
diff -ruN nmap.orig/files/patch-scan_engine.cc nmap/files/patch-scan_engine.cc
--- nmap.orig/files/patch-scan_engine.cc	Thu Jan  1 01:00:00 1970
+++ nmap/files/patch-scan_engine.cc	Thu Mar  9 11:03:44 2006
@@ -0,0 +1,45 @@
+$FreeBSD$
+
+Patch taken from <20060217013528.GG7214@syn.lnxnet.net>.
+http://seclists.org/lists/nmap-dev/2006/Jan-Mar/0205.html
+Will be included in nmap 4.02.
+
+--- scan_engine.cc.ORIG	Wed Mar  8 13:36:06 2006
++++ scan_engine.cc	Wed Mar  8 13:40:44 2006
+@@ -807,6 +807,7 @@
+ 
+   /* Returns true if the GLOBAL system says that sending is OK.*/
+ bool GroupScanStats::sendOK() {
++  int recentsends;
+ 
+   if (USI->scantype == CONNECT_SCAN && CSI->numSDs >= CSI->maxSocketsAllowed)
+     return false;
+@@ -815,7 +816,9 @@
+      the last listen call, at least for systems such as Windoze that
+      don't give us a proper pcap time.  Also for connect scans, since
+      we don't get an exact response time with them either. */
+-  if (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid()) {
++  recentsends = USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait;
++  if (recentsends > 0 &&
++     (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid())) {
+     int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
+     if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
+       return false;
+@@ -828,7 +831,7 @@
+      responses when I scan localhost.  And half of those are the @#$#
+      sends being received.  I think I'll put a limit of 50 sends per
+      wait */
+-  if (USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait >= 50)
++  if (recentsends >= 50)
+     return false;
+ 
+   /* When there is only one target left, let the host congestion
+@@ -969,7 +972,7 @@
+ 
+   getTiming(&tmng);
+   if (tmng.cwnd >= num_probes_active + .5 && 
+-      (freshPortsLeft() || num_probes_waiting_retransmit)) {
++      (freshPortsLeft() || num_probes_waiting_retransmit || !retry_stack.empty())) {
+     if (when) *when = USI->now;
+     return true;
+   }
--- nmap-4.01-loopfix.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: