Nmap Development mailing list archives

More nsock socket_count_write_dec assert() failures

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 25 Jan 2010 23:49:19 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some months ago we made some necessary changes to how nsock tracks open
sockets for reading and writing so we could better control how many
sockets are open so we didn't corrupt memory when we did a select() on
them.  Long story short, I think we found properly tracking socket
states is a lot harder than it sounds.

I have a host that always triggers a:

nmap: nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count) > 0' failed.

Here are the lines leading up to this:

[...snip...]
NSE: HTTP: Didn't receive expected response to HEAD request (got 401 Unauthorized).
NSE: Checking if a GET request is going to work out
NSE: Final http cache size (597 bytes) of max size of 1000000
NSE: Finished http-headers against a.b.254.121:443.
NSE: Final http cache size (615 bytes) of max size of 1000000
NSE: Final http cache size (633 bytes) of max size of 1000000
NSE: Root directory requires authentication (401 Unauthorized), scans may not work
NSE: Total number of pipelined requests: 10
NSE: Number of requests allowed by pipeline: 1
NSE Timing: About 92.50% done; ETC: 16:17 (0:00:03 remaining)
NSE: http-iis-webdav-vuln: PROPFIND request failed.
NSE: Finished http-iis-webdav-vuln against a.b.254.121:443.


Here is a backtrace.  I can recompile Nmap with Lua included so we get
Lua symbols if that is at all useful.


[New process 24011]
#0  0x00007f0b0163f205 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007f0b0163f205 in raise () from /lib/libc.so.6
#1  0x00007f0b01640723 in abort () from /lib/libc.so.6
#2  0x00007f0b01638229 in __assert_fail () from /lib/libc.so.6
#3  0x0000000000483bae in socket_count_write_dec (iod=<value optimized out>,
    ms=<value optimized out>) at nsock_core.c:199
#4  0x0000000000485cd7 in nsock_loop (nsp=0x25f1ad0, msec_timeout=50)
    at nsock_core.c:940
#5  0x00000000004771c1 in l_nsock_loop (L=0x26168a0) at nse_nsock.cc:551
#6  0x00007f0b0231812b in ?? () from /usr/lib/liblua.so.5
#7  0x00007f0b02318528 in ?? () from /usr/lib/liblua.so.5
#8  0x00007f0b023138a6 in lua_call () from /usr/lib/liblua.so.5
#9  0x0000000000473b2c in nsock_loop (L=0x26168a0) at nse_main.cc:168
#10 0x00007f0b0231812b in ?? () from /usr/lib/liblua.so.5
#11 0x00007f0b02322e31 in ?? () from /usr/lib/liblua.so.5
#12 0x00007f0b02318585 in ?? () from /usr/lib/liblua.so.5
#13 0x00007f0b02317d27 in ?? () from /usr/lib/liblua.so.5
#14 0x00007f0b02317da5 in ?? () from /usr/lib/liblua.so.5
#15 0x00007f0b023136b4 in lua_pcall () from /usr/lib/liblua.so.5
#16 0x0000000000473931 in run_main (L=0x26168a0) at nse_main.cc:468
#17 0x00007f0b0231812b in ?? () from /usr/lib/liblua.so.5
#18 0x00007f0b02318528 in ?? () from /usr/lib/liblua.so.5
#19 0x00007f0b02317d27 in ?? () from /usr/lib/liblua.so.5
#20 0x00007f0b02317da5 in ?? () from /usr/lib/liblua.so.5
#21 0x00007f0b02313657 in lua_cpcall () from /usr/lib/liblua.so.5
#22 0x0000000000473775 in script_scan (targets=@0x7fff0b18a2a0)
    at nse_main.cc:607
#23 0x000000000041fa1e in nmap_main (argc=35, argv=0x7fff0b18d538)
    at nmap.cc:1894
#24 0x000000000041af95 in main (argc=35, argv=0x7fff0b18d538) at main.cc:205

I know tracking this problem down is going to be exceptionally
difficult so I also have the output of doing this scan with "-v -v -d9
- --packet-trace --script-trace" which should help.  I also have the
output of doing the same while using strace.  I also have a PCAP.  I
can't make these files available publicly though as the machine being
scanned here is involved with processing credit cards.  Within reason
I can make the files available privately.

I'm happy to apply a patch that prints useful debugging info.

If any more hosts show up triggering this assert() I'll send a note
along.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAktaYF4ACgkQqaGPzAsl94IJMgCgslqb8nD25R2b9bJPqpdxWc7v
1/gAoLIGf1fxLahwR/o9hR8Y5U4Bf0Zv
=/69k
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

More nsock socket_count_write_dec assert() failures Brandon Enright (Jan 25)
- Re: More nsock socket_count_write_dec assert() failures Brandon Enright (Feb 05)
- Re: More nsock socket_count_write_dec assert() failures David Fifield (Feb 26)
  - Re: More nsock socket_count_write_dec assert() failures Brandon Enright (Feb 26)
  - Re: More nsock socket_count_write_dec assert() failures Brandon Enright (Mar 01)
    - Re: More nsock socket_count_write_dec assert() failures David Fifield (Mar 01)
    - Re: More nsock socket_count_write_dec assert() failures David Fifield (Mar 03)
    - Re: More nsock socket_count_write_dec assert() failures Brandon Enright (Mar 05)
    - Re: More nsock socket_count_write_dec assert() failures David Fifield (Mar 09)