hping wiki

Differences for page Open bugs

Current version compared with version Wed Aug 22 16:40:09 GMT 2007

...
  
  Please write the bug report in any case even if you have only some of this information.
  
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
  
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+ 
+ root@bt:~# traceroute -T 10.201.1.100
+  traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+  1  my.firewall (10.201.2.1)  5.406 ms  10.532 ms  15.561 ms
+  2  10.201.1.100 (10.201.1.100)  58.799 ms  60.190 ms  61.298 ms
+ 
+ root@bt:~# hping -S -p 80 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+  len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  2 packets transmitted, 2 packets received, 0% packet loss
+  round-trip min/avg/max = 4.9/4.9/4.9 ms
+ 
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  3 packets transmitted, 3 packets received, 0% packet loss
+  round-trip min/avg/max = 0.0/0.0/0.0 ms
+ 
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+  *** buffer overflow detected ***: hping terminated
+  ======= Backtrace: =========
+  /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+  /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+  hping[0x8050529]
+  hping[0x805100a]
+  hping[0x8049be8]
+  /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+  hping[0x8049461]
+  ======= Memory map: ========
+  08048000-08058000 r-xp 00000000 03:05 1058310    /usr/sbin/hping2
+  08058000-0805a000 rw-p 0000f000 03:05 1058310    /usr/sbin/hping2
+  0805a000-08060000 rw-p 00000000 00:00 0
+  080fb000-0811c000 rw-p 00000000 00:00 0          [heap]
+  b7d98000-b7da5000 r-xp 00000000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da5000-b7da6000 r--p 0000c000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da6000-b7da7000 rw-p 0000d000 03:05 1038415    /lib/libgcc_s.so.1
+  b7db9000-b7e7a000 rw-s 00000000 00:08 1736725    /SYSV00000000 (deleted)
+  b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd2000-b7fd4000 r--p 00158000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+  b7fea000-b7fec000 rw-p 00000000 00:00 0
+  b7fec000-b8006000 r-xp 00000000 03:05 1038373    /lib/ld-2.8.90.so
+  b8006000-b8007000 rw-p 00000000 00:00 0
+  b8007000-b8008000 r--p 0001a000 03:05 1038373    /lib/ld-2.8.90.so
+  b8008000-b8009000 rw-p 0001b000 03:05 1038373    /lib/ld-2.8.90.so
+  bf8fd000-bf912000 rw-p 00000000 00:00 0          [stack]
+  ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
+  Aborted
+  Not responding ports: (80 www)
+  All replies received. Done.
+ 
+ root@bt:~# hping -S --scan 80 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+     80 www        : .S..A... 127 46672 65535
+  All replies received. Done.
+  Not responding ports:
+ 
+ ------------------------------------------------------------
+ 
+ 
  ----
+ *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
+ Index: sendip.c
+  ===================================================================
+  RCS file: /cvsroot/hping2/hping3s/sendip.c,v
+  retrieving revision 1.2
+  diff -r1.2 sendip.c
+  67c67,68
+  < 	else /* if you need fragmentation id must not be randomic */
+  ---
+  > 	else /* if you need fragmentation id must not be random but all fragments belonging to the
+  > 		  * the same IP packet must have the same id that is unique amongst other fragments. */
+  69,73c70,79
+  < 		/* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
+  < 		/*        for every frame sent */
+  < 		ip->id		= (src_id == -1) ?
+  < 			htons(getpid() & 255) :
+  < 			htons((unsigned short) src_id);
+  ---
+  > 		if(src_id == -1)
+  > 		{
+  > 			__u16 b16_counter = (__u16)sent_pkt;
+  > 			__u16 b16_pid = getpid() & 0xff;
+  > 			ip->id = htons(b16_pid + b16_counter);
+  > 		}
+  > 		else
+  > 		{
+  > 			ip->id = htons((unsigned short) src_id);
+  > 		}
+ ----
+ *Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
+ It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
+ Change line 22 of cksum.c.
+  *((__u16 *) &oddbyte) = *(__u16 *) buf;
+ To
+  *((__u16 *) &oddbyte) = *(__u8 *) buf;
+ ----
  *Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
  
  One can not send packets with the maximal size of 65535 byte.
...

The following is the old page content