Nmap Development mailing list archives
Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed.
From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Jan 2010 11:35:55 -0700
On Tue, Jan 19, 2010 at 04:40:19PM -0500, Jon Kibler wrote:
David Fifield wrote:On Mon, Jan 18, 2010 at 01:01:32PM -0500, Jon Kibler wrote:Jon Kibler wrote:I am having nmap crash and getting empty files for output:# nmap -sS -sV -sU -sC -oA cts -O -p- -T4 --min-rtt-timeout=1 --max-rtt-timeout=8 --initial-rtt-timeout=4 --min-parallelism=64 --max-parallelism=128 --max-retries=3 --version-light 10.22.149.132 WARNING: You specified a round-trip time timeout (8 ms) that is EXTRAORDINARILY SMALL. Accuracy may suffer. Starting Nmap 5.10BETA2 ( http://nmap.org ) at 2010-01-16 21:48 GMT Nmap scan report for 10.22.149.132 Host is up (0.00042s latency). Not shown: 65533 open|filtered ports, 65526 filtered ports nmap: NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. AbortedI hate to respond to my own email... but I notice that this had been a problem that was previously fixed in 4.01. I have rerun the scan with -d, and it doesn't seem to tell anything not already known (attaching log... if it passes filter). What can I do to help get this debugged?See if you can simplify the command line and still get the crash. For example, does it still happen if you don't use -sV? What if you narrow the port range with -p? The most likely culprits are the options that add rows to the ports table: -sS -sU -sC. If you can rule any of those out it would help.I was able to narrow down the problem. I got it so that it only occurs on a sU+sV on a relatively small number of ports. I have included pcap files (tshark) of the successful and failed scans, as well as nmap debug logs. More specifically... # fails $ nmap -sV -sU -d -p160-688 -T4 --min-rtt-timeout=1 --max-rtt-timeout=8 - --initial-rtt-timeout=4 --min-parallelism=64 --max-parallelism=128 - --max-retries=3 --version-light 10.22.149.132 > nmap-sU-sV-p160-688.log 2>&1 # works $ nmap -sV -sU -d -p160-672 -T4 --min-rtt-timeout=1 --max-rtt-timeout=8 - --initial-rtt-timeout=4 --min-parallelism=64 --max-parallelism=128 - --max-retries=3 --version-light 10.22.149.132 > nmap-sU-sV-p160-672.log 2>&1
Thank you for the logs. This is strange. The target sent back the same responses in both packet captures--none of the additional ports 673-688 should have been able to make a difference. Also strange is this:
$ nmap -sV -sU -d -p160-672 -T4 --min-rtt-timeout=1 --max-rtt-timeout=8 --initial-rtt-timeout=4 --min-parallelism=64 --max-parallelism=128 --max-retries=3 --version-light 10.22.149.132 Host is up, received arp-response (0.00050s latency). Scanned at 2010-01-19 21:23:36 GMT for 86s PORT STATE SERVICE REASON VERSION 160/udp unknown sgmp-traps unknown-response 161/udp open snmp udp-response net-snmp 162/udp unknown snmptrap unknown-response 163/udp unknown cmip-man unknown-response
STATE=unknown shouldn't happen. Same with REASON=unknown-response. This may well be a bug in the memory reduction changes I made. Every port that didn't get a response shares a single Port object, so an error could manifest itself this way. I can't reproduce this, though. Your scan that failed showed that the ports were properly detected open|filtered and not unknown:
$ nmap -sV -sU -d -p160-688 -T4 --min-rtt-timeout=1 --max-rtt-timeout=8 --initial-rtt-timeout=4 --min-parallelism=64 --max-parallelism=128 --max-retries=3 --version-light 10.22.149.132 Nmap scan report for 10.22.149.132 nmap: NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. Host is up, received arp-response (0.00062s latency). Scanned at 2010-01-19 21:19:04 GMT for 92s Not shown: 528 open|filtered ports
Perhaps it does have something to do with the timing options. Possibly some code is not getting a chance to run. Try your above scans again, only this time use -T3 and the default timing and parallelism. Do each scan three times to see if the results are consistent. If the error only happens with short timeouts and high parallelism, we'll know where to start looking next. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap crash Jon Kibler (Jan 16)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. Jon Kibler (Jan 18)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. David Fifield (Jan 18)
- Message not available
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. David Fifield (Jan 20)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. Jon Kibler (Jan 20)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. David Fifield (Jan 21)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. Jon Kibler (Feb 01)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. David Fifield (Jan 18)
- Re: nmap crash -- NmapOutputTable.cc:153: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed. Jon Kibler (Jan 18)