Differences for page Open bugsCurrent version compared with version Tue May 08 08:43:07 GMT 2007...
Please write the bug report in any case even if you have only some of this information.
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
- ---
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+
+ root@bt:~# traceroute -T 10.201.1.100
+ traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+ 1 my.firewall (10.201.2.1) 5.406 ms 10.532 ms 15.561 ms
+ 2 10.201.1.100 (10.201.1.100) 58.799 ms 60.190 ms 61.298 ms
+
+ root@bt:~# hping -S -p 80 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+ len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 2 packets transmitted, 2 packets received, 0% packet loss
+ round-trip min/avg/max = 4.9/4.9/4.9 ms
+
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 3 packets transmitted, 3 packets received, 0% packet loss
+ round-trip min/avg/max = 0.0/0.0/0.0 ms
+
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ *** buffer overflow detected ***: hping terminated
+ ======= Backtrace: =========
+ /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+ /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+ hping[0x8050529]
+ hping[0x805100a]
+ hping[0x8049be8]
+ /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+ hping[0x8049461]
+ ======= Memory map: ========
+ 08048000-08058000 r-xp 00000000 03:05 1058310 /usr/sbin/hping2
+ 08058000-0805a000 rw-p 0000f000 03:05 1058310 /usr/sbin/hping2
+ 0805a000-08060000 rw-p 00000000 00:00 0
+ 080fb000-0811c000 rw-p 00000000 00:00 0 [heap]
+ b7d98000-b7da5000 r-xp 00000000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da5000-b7da6000 r--p 0000c000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da6000-b7da7000 rw-p 0000d000 03:05 1038415 /lib/libgcc_s.so.1
+ b7db9000-b7e7a000 rw-s 00000000 00:08 1736725 /SYSV00000000 (deleted)
+ b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd2000-b7fd4000 r--p 00158000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+ b7fea000-b7fec000 rw-p 00000000 00:00 0
+ b7fec000-b8006000 r-xp 00000000 03:05 1038373 /lib/ld-2.8.90.so
+ b8006000-b8007000 rw-p 00000000 00:00 0
+ b8007000-b8008000 r--p 0001a000 03:05 1038373 /lib/ld-2.8.90.so
+ b8008000-b8009000 rw-p 0001b000 03:05 1038373 /lib/ld-2.8.90.so
+ bf8fd000-bf912000 rw-p 00000000 00:00 0 [stack]
+ ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
+ Aborted
+ Not responding ports: (80 www)
+ All replies received. Done.
+
+ root@bt:~# hping -S --scan 80 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ 80 www : .S..A... 127 46672 65535
+ All replies received. Done.
+ Not responding ports:
+
+ ------------------------------------------------------------
+
+
+ ----
+ *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
+ Index: sendip.c
+ ===================================================================
+ RCS file: /cvsroot/hping2/hping3s/sendip.c,v
+ retrieving revision 1.2
+ diff -r1.2 sendip.c
+ 67c67,68
+ < else /* if you need fragmentation id must not be randomic */
+ ---
+ > else /* if you need fragmentation id must not be random but all fragments belonging to the
+ > * the same IP packet must have the same id that is unique amongst other fragments. */
+ 69,73c70,79
+ < /* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
+ < /* for every frame sent */
+ < ip->id = (src_id == -1) ?
+ < htons(getpid() & 255) :
+ < htons((unsigned short) src_id);
+ ---
+ > if(src_id == -1)
+ > {
+ > __u16 b16_counter = (__u16)sent_pkt;
+ > __u16 b16_pid = getpid() & 0xff;
+ > ip->id = htons(b16_pid + b16_counter);
+ > }
+ > else
+ > {
+ > ip->id = htons((unsigned short) src_id);
+ > }
+ ----
+ *Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
+ It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
+ Change line 22 of cksum.c.
+ *((__u16 *) &oddbyte) = *(__u16 *) buf;
+ To
+ *((__u16 *) &oddbyte) = *(__u8 *) buf;
+ ----
+ *Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
+
+ One can not send packets with the maximal size of 65535 byte.
+ Patch attached to fix this problem : {patch_maxsize.diff}
+ ----
+ *Bug Report:* Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)
+
+ The problem is that if someone wants to send packets with exactly the MTU size of an interface then
+ hping activates auto-fragmentation although it is not needed at this point. The effect is that
+ one cannot send MTU sized packets with the DF bit on.
+ After this patch hping will send packets with exactly the same packet size but it will no more
+ activate the auto-fragment mode too early and therefore one can send packets with MTU size that
+ still have the DF bit set.
+
+ diff -urb hping3s/sendip_handler.c hping3.work/sendip_handler.c
+ --- hping3s/sendip_handler.c 2003-09-01 02:22:06.000000000 +0200
+ +++ hping3.work/sendip_handler.c 2007-05-29 11:03:07.000000000 +0200
+ @@ -19,7 +19,7 @@
+ {
+ ip_optlen = ip_opt_build(ip_opt);
+
+ - if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu))
+ + if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu))
+ {
+ /* auto-activate fragmentation */
+ virtual_mtu = h_if_mtu-20;
+
+ ----
*Bug Report:* hping2 and hping3 accepts ICMP error messages which are not meant for it. (oliver dot stampfli at epfl dot ch)
OS: any
...
Any discussion on this is appreciated... please write me an e-mail.
- ---
+ ----
Bug Report: hping2 uses 127.0.0.1 for its source IP for all packets. (erickson at netapp.com)
OS: 2.6.11-1.27_FC3smp
...
-> Libpcap 0.9.3
Error message:
error: net/bpf.h: No such file or directory
- In last version of libpcap, net/bpf.h has moved to pcap-bpf.h and this file is automatically
- included in pcap.h. So just not include it...
+ In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically
+ included in pcap.h. So net/bpf.h shouldn't be included anymore...
Patch:
- `Um`... `what?` `^^^^`
-
--- hping3s/script.c.orig 2005-09-12 00:52:35.000000000 +0200
+++ hping3s/script.c 2005-09-12 00:53:00.000000000 +0200
@@ -24,7 +24,6 @@
...
hanfi
- -------------------------------------------------------------------------------
+ -------------------------------------
+
+ OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11. Here are patches that worked for me.
+
+ *** Makefile-orig Wed Aug 22 10:40:02 2007
+ --- Makefile Wed Aug 22 10:40:17 2007
+ ***************
+ *** 50,56 ****
+ $(RANLIB) $@
+
+ hping3: byteorder.h $(OBJ)
+ ! $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) -ltcl -lm -lpthread
+ @echo
+ ./hping3 -v
+ @echo "use \`make strip' to strip hping3 binary"
+ --- 50,56 ----
+ $(RANLIB) $@
+
+ hping3: byteorder.h $(OBJ)
+ ! $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) -ltcl8.4 -lm -lpthread
+ @echo
+ ./hping3 -v
+ @echo "use \`make strip' to strip hping3 binary"
+ *** bytesex.h-orig Wed Aug 22 10:43:57 2007
+ --- bytesex.h Wed Aug 22 10:43:59 2007
+ ***************
+ *** 9,14 ****
+ --- 9,15 ----
+
+ #if defined(__i386__) \
+ || defined(__alpha__) \
+ + || defined(__x86_64) \
+ || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
+ #define BYTE_ORDER_LITTLE_ENDIAN
+ #elif defined(__mc68000__) \
+ *** libpcap_stuff.c-orig Wed Aug 22 10:38:06 2007
+ --- libpcap_stuff.c Wed Aug 22 10:38:26 2007
+ ***************
+ *** 17,23 ****
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <net/bpf.h>
+
+ #include "globals.h"
+
+ --- 17,23 ----
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <pcap-bpf.h>
+
+ #include "globals.h"
+
+ *** script.c-orig Wed Aug 22 10:38:46 2007
+ --- script.c Wed Aug 22 10:39:23 2007
+ ***************
+ *** 24,30 ****
+
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <net/bpf.h>
+
+ #include "release.h"
+ #include "hping2.h"
+ --- 24,30 ----
+
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <pcap-bpf.h>
+
+ #include "release.h"
+ #include "hping2.h"
+
+ -------------------------------------
+
The following is the old page content
|