Ok...ran into a nasty problem as follows:
Assuming a nasl code snippet meant to read a web page
that looks roughly like this:
soc = open_sock_tcp(port);
if(soc)
{
buf = string("/");
buf = http_get(item:buf, port:port);
send(socket:soc, data:buf);
r = recv(socket:soc, length:8192);
}
and testing a web server where the header and body of the
response are separate by a 2 second delay, we noted that
recv() will never get the body of the message.
Digging into the guts via strace on the nasl process
running the test revealed something interesting:
brk(0x80ec000) = 0x80ec000
select(4, [3], NULL, NULL, {15, 0}) = 1 (in [3], left {13, 990000})
recv(3, "HTTP/1.1 200 OK\nServer: Apache/1"..., 8192, 0) = 293
select(4, [3], NULL, NULL, {1, 0}) = 0 (Timeout)
The first select is clearly pause for 15 seconds, (the requisite
configured timeout) and then the recv() returns the http header.
The next select, however, has set the timeout to 1 second.
This is wrong, and means that any time there is a 1 second hiccup
in the data stream, the recv() command will not function as
expected. Some quick code digging reveals the offending code
is located in network.c/read_stream_connection, where it
assumes that once SOME data has been read, that there will never
be more than one second between subsequent data packets.
Isn't this rather dangerous? Any time there is a greater than
one second hiccup in the data stream, recv() will fail to return
the full dataset. And since recv() is used almost everywhere,
it means that many nasl scripts run the risk of missing legitimate
vulnerabliities when tests are conducted over either non-responsive
links, or where the remote web server may serve content out in
bits and pieces.
I'd recommend that as a patch the 1 second delay be at least set
to 3-5 seconds or so, or that a slightly more comprehensive
solution use simple calls to time() to determine elapsed time
and to set the remaining time, instead of to 1, the greater of
1 or the remaining time left...
Thomas
-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.
