From 311c2c3065faf78a8e742057201a35a0e62d1b99 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 1 Apr 2015 19:52:52 +0000
Subject: [PATCH] Fix a crash due to ICMP type 3 code 2 received during service
 scan

---
 CHANGELOG       |  5 +++++
 service_scan.cc | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index d93ca96d3..906e5ec87 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Handle a bunch of socket errors that can result from odd ICMP Type 3
+  Destination Unreachable messages received during service scanning. The crash
+  reported was "Unexpected error in NSE_TYPE_READ callback.  Error code: 92
+  (Protocol not available)" [Daniel Miller]
+
 o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
   -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
 
diff --git a/service_scan.cc b/service_scan.cc
index 049bc4813..4d261a6ad 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -2507,12 +2507,31 @@ static void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *myda
         startNextProbe(nsp, nsi, SG, svc, true);
       }
       break;
+#ifdef EHOSTDOWN
+    case EHOSTDOWN: // ICMP_HOST_UNKNOWN
+#endif
+#ifdef ENONET
+    case ENONET: // ICMP_HOST_ISOLATED
+#endif
+    /* EHOSTDOWN and ENONET can be the result of forged ICMP responses.
+     * We should probably give up on this port.
+     */
     case ENETUNREACH:
     case EHOSTUNREACH:
       // That is funny.  The port scanner listed the port as open.  Maybe it got unplugged, or firewalled us, or did
       // something else nasty during the scan.  Shrug.  I'll give up on this port
       end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
       break;
+#ifdef ENOPROTOOPT
+    case ENOPROTOOPT: // ICMP_PROT_UNREACH
+#endif
+    case EMSGSIZE: // ICMP_FRAG_NEEDED
+    case EOPNOTSUPP: // ICMP_SR_FAILED
+    /* EPROTOOPT has been reported in the wild. EMSGSIZE and EOPNOTSUPP are theoretically
+     * possible responses due to forged ICMP responses.
+     * These seem packet-specific, not a result of the host shutting us out completely.
+     * We'll try some other probes.
+     */
 #ifndef WIN32
     case EPIPE: