Re: [nse] very strange bug on Leopard - endian problems?

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

majek04 wrote:
> Hi!
>
> While developing os.nse[1] I found a bug, maybe someone
> can help me with it.
>
> This is what I get with simple debugging patch [2].
>
> on leopard:
> $ export NMAPDIR=.; sudo ./nmap -sP  scanme.nmap.org 2>&1
>
> Starting Nmap 4.60 ( http://nmap.org ) at 2008-03-31 15:00 CEST
> -- sendto in send_ip_packet: sendto(4, packet, 40, 0, 205.217.153.62, 16) --
> -- TCP 192.168.1.8:52620 > 205.217.153.62:80 A ttl=47 id=23788
> iplen=10240  seq=1523082815 win=4096 ack=494690232
>
>          4500 2800 5cec 0000 2f06 061c c0a8 0108  E.(.\.../.......
>          cdd9 993e cd8c 0050 5ac8 663f 1d7c 5fb8  ...>...PZ.f?.|_.
>          5010 1000 6af3 0000                      P...j...
<snip>
> You see the ip length field? Wtf? 0028 or 2800?
> Do we have some endian problems?

I have an idea: Apple is screwing with tradition :)

Raw sockets with IP_HDRINCL were never really documented, especially wrt
byte order.  The IP length field was one of the two fields that are
traditionally in *host* byte order when sent over the net on BSDs.
Since OS X is based on BSD, it should adhere to this (and it appears
that they did since this was never complained before about that I know
of).  But I guess with Leopard they went along with Linux and want it
all sent in network byte order (or nobody complained about the other
broken OS X versions..).  I don't know why they would want to break raw
sockets programs, though.

p657 of UNIX Network Programming tells the BSD vs. Linux gist, and you
can grep for MACOSX in tcpip.cc to see that Nmap ntohs()'s the IP length
field for BSDs and OS X.

I guess configure will need to check for Leopard and later versions
specifically so this stuff can be taken into account.

I wonder if pcap_get_selectable_fd() will work with Leopard?  Maybe
that's changed as well (I don't know why it didn't work before, so I
can't guess to why it would now).

> Marek Majkowski

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBR/EnCf9K37xXYl36AQKXLRAAkT0odbNaqJ/DztXC5lRpFlaqgE+R+FTt
vwvrR6NdBZpKOTzSOUZ5H+3Vhdm8Y1vgPc56WCAs5/BbbNPo1r9ET1NXxYTbZm+0
K0+6wIyQPbA0+tBIeDXhpPtBNXG64TEOsRCl9vh2AjNkjxSYaxk4gaCnnH9Y07Mj
r6Gs1rseRWn7H5xm7E1YbTk+xHPW5iJUGnUMrefQygIak4vokmX9rpFWVzDeul1h
LEFzV8pmtSXW8E7eIt56Vsx8ab2LSzODe8K7JlBaTjd8rH5QCKvA4VwrQ8LXxzu4
bjJy/xDfWJVpklyBYJl9OlZpVoXQ7c9FpzH1cdiRvLUG3fjJwgVr8bNqqzgj4wXw
OvT8vV3ILxZlIHnNax9BC6oOpq4M6zr1XjGA5PY61MUgqSLJdC1tb5uRXrRLdmUB
iG7NbpmwaCfH5c3vpn9alK5L2mQWK+U4HU5h88VWnD3FPziSR9S7LLTzhbXFqeRk
mSVHMb7YpUGD3W4nDsF6GLesHcI2Jlto2SbuxmjFWXSjhjGLNHBVLY/NrHZ8K5Zl
ZmxCynarywMdvYrsTxHS6h1k9jheSstWxT98AMLsd615HmwHT5MlZwLhoBZZf/by
266Y/Xi+eUcTyokdzuossSvpzlEuyjDchMod7BxfpMm4Hd2Q5/QWGDhmU/+M/eWb
ico6+6+pElQ=
=yNOt
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org