Re: Wild TTL value

[David Fifield <david () bamsoftware com>]

On Wed, May 01, 2013 at 04:46:52PM +0200, Gisle Vanem wrote:
> There seems to be a problem with how libnetutil/netutil.cc is
> setting the IP-TTL value on sockets; from nmap on Win32 linked with
> a WinSock tracing lib:
>
>    * libnetutil/netutil.cc(871) (set_ttl+34):   setsockopt (1780, IPPROTO_IP,
>                    IP_TTL, ULONG_MAX, 4) --> WSAEINVAL: Invalid arguments (10022).
>
> I mean, why set TTL to such a high value? The IP-TTL field is only
> 8 bits. No wonder Winsock complains. I know about the "nmap --ttl"
> option but IMHO the default should be bounded to 255 max like this:
>
> --- SVN-Latest\libnetutil\netutil.cc    Thu Apr 25 10:06:07 2013
> +++ libnetutil\netutil.cc       Wed May 01 16:41:30 2013
> @@ -868,6 +868,7 @@
>   if (sd == -1)
>     return;
>
> +  ttl = max (min(ttl, 255), 255);
>   setsockopt(sd, IPPROTO_IP, IP_TTL, (const char *) &ttl, sizeof ttl);
> #endif
> }
>
> ---------
>
> Or better, the caller of set_ttl() should fix it. It is obviously
> passing a ttl of '-1'.

It looks like there is only one caller, and it's using the default value
of -1 for o.ttl.

Please try this patch. What I need you to check is that it has the same
behavior as before on platforms like Linux that don't give an error for
-1. That is, perhaps existing behavior on Linux is to set the TTL to 255
when IP_TTL is set like this, and if that's true, perhaps we should try
to keep the behavior.

David Fifield

Attachment: set_ttl-opt.patch
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/