Differences for page Open bugsCurrent version compared with version Thu Sep 13 08:30:36 GMT 2007...
Please write the bug report in any case even if you have only some of this information.
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+
+ root@bt:~# traceroute -T 10.201.1.100
+ traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+ 1 my.firewall (10.201.2.1) 5.406 ms 10.532 ms 15.561 ms
+ 2 10.201.1.100 (10.201.1.100) 58.799 ms 60.190 ms 61.298 ms
+
+ root@bt:~# hping -S -p 80 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+ len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 2 packets transmitted, 2 packets received, 0% packet loss
+ round-trip min/avg/max = 4.9/4.9/4.9 ms
+
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 3 packets transmitted, 3 packets received, 0% packet loss
+ round-trip min/avg/max = 0.0/0.0/0.0 ms
+
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ *** buffer overflow detected ***: hping terminated
+ ======= Backtrace: =========
+ /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+ /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+ hping[0x8050529]
+ hping[0x805100a]
+ hping[0x8049be8]
+ /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+ hping[0x8049461]
+ ======= Memory map: ========
+ 08048000-08058000 r-xp 00000000 03:05 1058310 /usr/sbin/hping2
+ 08058000-0805a000 rw-p 0000f000 03:05 1058310 /usr/sbin/hping2
+ 0805a000-08060000 rw-p 00000000 00:00 0
+ 080fb000-0811c000 rw-p 00000000 00:00 0 [heap]
+ b7d98000-b7da5000 r-xp 00000000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da5000-b7da6000 r--p 0000c000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da6000-b7da7000 rw-p 0000d000 03:05 1038415 /lib/libgcc_s.so.1
+ b7db9000-b7e7a000 rw-s 00000000 00:08 1736725 /SYSV00000000 (deleted)
+ b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd2000-b7fd4000 r--p 00158000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+ b7fea000-b7fec000 rw-p 00000000 00:00 0
+ b7fec000-b8006000 r-xp 00000000 03:05 1038373 /lib/ld-2.8.90.so
+ b8006000-b8007000 rw-p 00000000 00:00 0
+ b8007000-b8008000 r--p 0001a000 03:05 1038373 /lib/ld-2.8.90.so
+ b8008000-b8009000 rw-p 0001b000 03:05 1038373 /lib/ld-2.8.90.so
+ bf8fd000-bf912000 rw-p 00000000 00:00 0 [stack]
+ ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
+ Aborted
+ Not responding ports: (80 www)
+ All replies received. Done.
+
+ root@bt:~# hping -S --scan 80 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ 80 www : .S..A... 127 46672 65535
+ All replies received. Done.
+ Not responding ports:
+
+ ------------------------------------------------------------
+
+
----
*FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
Index: sendip.c
...
The following is the old page content
|