Re: [NSE] Socket dead-lock

[nnposter () users sourceforge net]

While working on a new script I am experiencing what appears to be
a reproducible dead-lock in a socket operation. By reproducible I mean
about 80% while targeting a specific system.

My vague suspicion is that a socket object is getting automatically
destroyed when a thread that originally created it finishes. Is it
perhaps that passing a socket object from thread to thread is
prohibited? Even if so, should it result in a dead-lock, as opposed
to an error?

The script performs password guessing, leveraging brute.lua. It is not
doing any unusual socket work; all it does is connect, read, write, and
close. It maintains a connection pool so that a new connection is not
required for every guess attempt. In the course of the run a connection
may be passed from from one worker to another.


Running the script with -d -d -d shows this particular sequence when it
fails to return from socket:connect():

-- close() invoked on a connected socket object in thread: 0x8c0bd90
NSE: TCP P.Q.R.S:49514 > A.B.C.D:XY | CLOSE
NSOCK (0.5580s) nsi_delete (IOD #4)
-- returns with true,nil
...
-- one of other brute.lua worker threads finishes
NSE: Finished 'xyz' worker (thread: 0x8c56a28) against A.B.C.D:XY.
...
-- worker thread that originally created and used the socket object finishes
NSE: Finished 'xyz' worker (thread: 0x8c0bd90) against A.B.C.D:XY.
...
-- connect() on the same socket object in thread: 0x8c07030
NSOCK (0.5580s) nsi_new (IOD #6)
NSOCK (0.5600s) TCP connection requested to A.B.C.D:XY (IOD #6) EID 968
-- this closing of the socket is not explicitly called from my script
NSE: TCP P.Q.R.S:49516 > A.B.C.D:XY | CLOSE
NSOCK (0.5600s) nsi_delete (IOD #6)
NSOCK (0.5600s) msevent_cancel on event #968 (type CONNECT)
NSOCK (0.5600s) Callback: CONNECT CANCELLED for EID 968 [A.B.C.D:XY]
-- connect() never returns


In the minority of cases when the dead-lock does not occur the log does
not show this intersection of nsi_new and nsi_delete on the same IOD.
Event nsi_delete comes only after connect() completes:

-- close() invoked on a connected socket object in thread: 0xa2fcaf8
NSE: TCP P.Q.R.S:49531 > A.B.C.D:XY | CLOSE
NSOCK (0.6020s) nsi_delete (IOD #3)
-- returns with true,nil
...
-- connect() on the same socket object in thread: 0xa2fcaf8
NSOCK (0.6020s) nsi_new (IOD #6)
NSOCK (0.6040s) TCP connection requested to A.B.C.D:XY (IOD #6) EID 976
..
-- one of other brute.lua worker threads finishes
NSE: Finished 'xyz' worker (thread: 0xa2afd90) against A.B.C.D:XY.
...
-- one of other brute.lua worker threads finishes
NSE: Finished 'xyz' worker (thread: 0xa2ab030) against A.B.C.D:XY.
...
NSOCK (0.6060s) Callback: CONNECT SUCCESS for EID 976 [A.B.C.D:XY]
NSE: TCP P.Q.R.S:49534 > A.B.C.D:XY | CONNECT
-- returns with true,nil
...
-- the thread that originally created and now still/again holds the socket
NSE: Finished 'xyz' worker (thread: 0xa2fcaf8) against A.B.C.D:XY.
NSE: TCP P.Q.R.S:49534 > A.B.C.D:XY | CLOSE
NSOCK (0.6070s) nsi_delete (IOD #6)

The dead-lock is observed in release 6.25 on both Ubuntu 12.04 LTS and
Windows XP (compiled from source). 

I would be grateful if anybody could shed some light onto this peculiar
problem.


Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/