Nmap Development mailing list archives

Re: Sergey. [Status report 10/17]

From: Patrick Donnelly <batrick () batbytes com>
Date: Wed, 6 Jul 2016 11:58:04 -0400

Hi Sergey,

On Tue, Jul 5, 2016 at 8:37 PM, Sergey Khegay <g.sergeykhegay () gmail com> wrote:

- Tested libssh2 port to Windows. Although it works, there is a big
  performance issue. At first I thought that it is Windows platform
  related, but after couple tests it turned out that Linux platform
  is also affected.

  The problem is that when using libssh2 module, there is a huge
  memory consumption:  Using ssh-brute.nse script for testing with
  --max-parallelism=100 and brute.threads=100 (aka max_threads) and
  12000 account to iterate, the virtual memory claimed rises from
  18 MB to over 2 GB (!).  Testing under the same conditions but with
  different, ftp-brute.nse, brute script did not reveal such huge
  memory consumption.

  Interestingly, when I run the script on my Mac, the NSE manages to
  iterate over all credentials and find the correct pair. Although
  when on Windows 7, the nmap process gives up with a segmentation
  fault when ~ 2 GB of memory is claimed (private working set). The
  segmentation fault is thrown because of these two lines of code

  nse_libssh2: l_session_open(..)

    state->session = libssh2_session_init();
    ...
    libssh2_session_set_blocking(state->session, 0);

  Because the memory is exhausted (unlikely there is any other reason),
  `libssh2_session_init()` fails to allocate space for a ssh2 session,
  hence `state->session` is set to NULL. The segmentation fault happens
  in `libssh2_session_set_blocking(state->session, 0)` because the
  function tries to access session descriptor at the 0 (NULL) location.

  My assumption is that Lua's garbage collection is to blame, probably
  a user data created to track ssh2 state is not cleaned properly upon
  completion.

  nse_libssh2: l_session_open(..)

    ssh_userdata *state =
        (ssh_userdata *)lua_newuserdata(L, sizeof(ssh_userdata));


  I have not figured out how to properly check the assumption yet and
  force Lua to clean up userdata.


It's extremely unlikely there is a problem with Lua GC. After a glance
at nse_libssh2, I see no obvious leaks. Use:

https://www.lua.org/manual/5.3/manual.html#pdf-collectgarbage

to see how many bytes are in use by Lua. I suspect the actual problem
is in some windows specific code in libssh2 or in nse_libssh2.

-- 
Patrick Donnelly
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Sergey. [Status report 10/17] Sergey Khegay (Jul 05)
- Re: Sergey. [Status report 10/17] Patrick Donnelly (Jul 06)
  - Re: Sergey. [Status report 10/17] Sergey Khegay (Jul 06)
- <Possible follow-ups>
- Sergey. [Status report 10/17] Sergey Khegay (Jul 12)