NMAP crash

[starlight.2012q3 () binnacle cx]

Hello,

Came upon a reproducible crash that
might be of interest.  Running SVN 29768.

Command is

  nmap -e eth4 -S 172.29.86.4 --send-eth \
       -T4 -Pn -O -sV -sC 58.218.199.227

also happens with target 58.218.199.250

The "-e eth4 -S 172.29.86.4" options are
likely not necessary.  Were added
here to invoke an alternate 'iproute2'
source-address selected default route.

On first scan, it always produces the attached
result.  If the scan is re-run immediately
it runs normally to completion.  After a
few minutes the crash can be reproduced again.

Observed /proc/<pid>/fd and did see that
commencing with the "is this port really open?"
message a huge number of sockets were opened
until the limit of 1024 was hit.  Increased 
to 'ulimit -n 10240' and it consumed all of
those as well, then crashed.

Running 64-bit 'nmap' under an old
2.6.27.25-78.2.56.fc9.x86_64 kernel.

'nmap' built with 'gcc' version 4.7.1.

   configure --without-zenmap --with-libpcap=/usr/local

Where 'libpcap' is version 1.3.0.

The two China 58.218.199.x IPs attempted to
exploit the web-server here, which is taken
as tacit permission to scan them with
the aggressive parameters.  Evidence
attached.

Attachment: hack_attempt.txt
Description:

Attachment: nmap_crash.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/