Nmap Development mailing list archives
Re: Nmap/Nping bug on udp checksum calculation
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Sun, 03 Nov 2013 18:49:19 +0100
Hi, David. Regarding this bug, I believe it also affects osscan2.cc. See below. What do you think? --- osscan2.cc (revision 32492) +++ osscan2.cc (working copy) @@ -2165,6 +2165,12 @@ /* OK, now we should be able to compute a valid checksum */ realcheck = ipv4_pseudoheader_cksum(source, hss->target->v4hostip(), IPPROTO_UDP, sizeof(struct udp_hdr) + datalen, (char *) udp); + + /* If the computed checksum has a value of zero, we need to set it + * to 0xFFFF (See RFC 768) */ + if(realcheck==0) + realcheck=0xFFFF; + #if STUPID_SOLARIS_CHECKSUM_BUG udp->uh_sum = sizeof(struct udp_hdr) + datalen; #else Best regards, Luis MartinGarcia. On 11/02/2013 11:38 PM, Michael Weber wrote:
Hi, my name is Michael Weber and I'm a computer science student from Würzburg, Germany. I'm currently developing some network hardware and applied some tests to it using Nmaps Nping to send some custom build frames. While tracing them in wireshark I stumbled upon some strange behavior, which might be a bug in Nmap/Nping. Sending UDP data can contain but must not contain a checksum. The checksum, must be transmitted as all ones if the calculated value is all zero. An all zero value denotes that no checksum has been calculated (see rfc 768) In Nmap the checksum is calculated in netutil.cc (ipv4_pseudoheader_cksum) called from within UDPHeader.cc (UDPHeader::setSum) as a quick search in the sources revealed. I think the return value must be checked for zero like it's done in ipv6_pseudoheader_cksum before it is returned or, if that will lead to some trouble for TCP checksum calculation, must be checked in UDPHeader::setSum before the method returns. Versions used: Windows: nmap 6.40/nping 0.6.40 on win7x64ultimate Linux: nmap 0.25/nping 0.6.25 on debian6.0.7 This is a snippet from a wireshark trace on my windows machine; the missing dest mac is happening on windows only. 0000 00 00 00 00 00 00 90 e6 ba 2d 2e 1c 08 00 45 00 ........ .-....E. 0010 00 30 42 6b 00 00 40 11 ac f7 c0 a8 05 02 c0 a8 .0Bk..@. ........ 0020 05 08 c9 a7 00 09 00 1c _00 00_ 11 11 11 11 11 11 ........ ........ 0030 11 11 11 11 11 11 11 11 11 11 11 11 11 11 ........ ...... The calculated checksum should be 0xffff following the calculation instructions in RFCs and on some other sources. Kind regards, Michael Weber _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap/Nping bug on udp checksum calculation Michael Weber (Nov 02)
- Re: Nmap/Nping bug on udp checksum calculation Luis MartinGarcia. (Nov 03)
- Re: Nmap/Nping bug on udp checksum calculation Luis MartinGarcia. (Nov 03)
- Re: Nmap/Nping bug on udp checksum calculation David Fifield (Nov 10)
- Re: Nmap/Nping bug on udp checksum calculation Daniel Miller (Nov 04)
- Re: Nmap/Nping bug on udp checksum calculation David Fifield (Nov 04)
- AW: Nmap/Nping bug on udp checksum calculation Michael Weber (Nov 05)
- Re: Nmap/Nping bug on udp checksum calculation Luis MartinGarcia (Nov 05)
- Re: Nmap/Nping bug on udp checksum calculation Daniel Miller (Nov 05)
- Re: Nmap/Nping bug on udp checksum calculation David Fifield (Nov 04)