Nsock: engine_iocp cannot handle PCAP read events, may have other structural problems

[dmiller-nmap]

The IOCP Nsock engine for Windows appears to have some problems. We need to go over it carefully and figure out whether everything is correct. First indication was an assertion failure.

Describe the current behavior
Easy reproduction on Windows:

> nping google.com --nsock-engine iocp -dddddddd
Trying to initialize Windows pcap engine
npcap service is already running.
wpcap.dll present, library version: Npcap version 0.9997, based on libpcap version 1.9.1
Nping will send packets at raw ethernet level

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2020-09-18 18:26 Central Daylight Time
Resolving specified targets...
Determining target 172.217.6.14 MAC address or next hop MAC address...
    > Checking system's ARP cache...
    > Success: Entry found [XX:XX:XX:a2:a2:78]
+-----------------TARGET-----------------+
Device Name:            eth0
Device FullName:        eth0
Device Type:            Ethernet
Directly connected?:    no
Address family:         AF_INET
Resolved Hostname:
Supplied Hostname:      google.com
Target Address:         172.217.6.14
Source Address:         192.168.80.10
Next Hop Address:       192.168.80.1
Target MAC Address:     00:00:00:00:00:00
Source MAC Address:     80:ee:73:f8:f8:48
Next Hop MAC Address:   a0:04:60:a2:a2:78
1 target IP address determined.
libnsock nsock_set_loglevel(): Set log level to FULL DEBUG
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
Next target returned by getNextTarget(): Targets[0/1] --> 172.217.6.14

BPF-filter: (not src host 192.168.80.10 and dst host 192.168.80.10) and ((icmp and icmp[icmptype] = 0) or (icmp and (icmp[icmptype] = 3 or icmp[icmptype] = 4 or icmp[icmptype] = 5 or icmp[icmptype] = 11 or icmp[icmptype] = 12)) )
Opening pcap device eth0
libnsock nsock_pcap_open(): PCAP requested on device '\Device\NPF_{CEA181E4-93AB-4FA8-BCDD-F72B397FD50A}' with berkeley filter '(not src host 192.168.80.10 and dst host 192.168.80.10) and ((icmp and icmp[icmptype] = 0) or (icmp and (icmp[icmptype] = 3 or icmp[icmptype] = 4 or icmp[icmptype] = 5 or icmp[icmptype] = 11 or icmp[icmptype] = 12)) )' (promisc=0 snaplen=8192 to_ms=1) (IOD #1)
libnsock nsock_pcap_open(): PCAP created successfully on device '\Device\NPF_{CEA181E4-93AB-4FA8-BCDD-F72B397FD50A}' (pcap_desc=-1 bsd_hack=0 to_valid=0 l3_offset=14) (IOD #1)
Pcap device eth0 open successfully
Next target returned by getNextTarget(): Targets[0/1] --> 172.217.6.14

fillPacket(target=015B2D30, port=0, buff=012EFB8C, bufflen=65535, filledlen=012E8B6C rawfd=-1)
fillPacketICMP(target=015B2D30, buff=012EFB9A, bufflen=65521, filledlen=012E8AF4)
libnsock event_new(): event_new (IOD #1) (EID #13)
libnsock nsock_pcap_read_packet(): Pcap read request from IOD #1  EID 13
libnsock nsock_pool_add_event(): NSE #13: Adding event (timeout in 1000ms)
libnsock nsock_pool_add_event(): PCAP NSE #13: Adding event to PCAP_READ_EVENTS
libnsock event_new(): event_new (IOD #1) (EID #21)
libnsock nsock_pcap_read_packet(): Pcap read request from IOD #1  EID 21
libnsock nsock_pool_add_event(): NSE #21: Adding event (timeout in 1000ms)
libnsock nsock_pool_add_event(): PCAP NSE #21: Adding event to PCAP_READ_EVENTS
libnsock event_new(): event_new (IOD #NULL) (EID #28)
libnsock nsock_timer_create(): Timer created - 1ms from now.  EID 28
libnsock nsock_pool_add_event(): NSE #28: Adding event (timeout in 1ms)
libnsock nsock_loop(): nsock_loop() started (timeout=2ms). 3 events pending
libnsock iocp_loop(): wait for events
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #21)
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #13)
libnsock process_event(): Processing event 28 (timeout in -14ms, done=0)
libnsock process_event(): NSE #28: Sending event
libnsock nsock_trace_handler_callback(): Callback: TIMER SUCCESS for EID 28
nping_event_handler()
nping_event_handler(): Received callback of type TIMER with status SUCCESS
SENT (0.2650s) ICMP [192.168.80.10 > 172.217.6.14 Echo request (type=8/code=0) id=22655 seq=1] IP [ver=4 ihl=5 tos=0x00 iplen=28 id=52976 foff=0 ttl=64 proto=1 csum=0xe856]
0000   a0 04 60 e1 a2 78 80 ee  73 53 f8 48 08 00 45 00  ..`..x..sS.H..E.
0010   00 1c ce f0 00 00 40 01  e8 56 c0 a8 50 0a ac d9  ......@..V..P...
0020   06 0e 08 00 9f 7f 58 7f  00 01                    ......X...
libnsock event_delete(): event_delete (IOD #NULL) (EID #28)
Next target returned by getNextTarget(): Targets[0/1] --> 172.217.6.14

fillPacket(target=015B2D30, port=0, buff=012EFB8C, bufflen=65535, filledlen=012E8B6C rawfd=-1)
fillPacketICMP(target=015B2D30, buff=012EFB9A, bufflen=65521, filledlen=012E8AF4)
libnsock event_new(): event_new (IOD #1) (EID #37)
libnsock nsock_pcap_read_packet(): Pcap read request from IOD #1  EID 37
libnsock nsock_pool_add_event(): NSE #37: Adding event (timeout in 1000ms)
libnsock nsock_pool_add_event(): PCAP NSE #37: Adding event to PCAP_READ_EVENTS
libnsock event_new(): event_new (IOD #1) (EID #45)
libnsock nsock_pcap_read_packet(): Pcap read request from IOD #1  EID 45
libnsock nsock_pool_add_event(): NSE #45: Adding event (timeout in 1000ms)
libnsock nsock_pool_add_event(): PCAP NSE #45: Adding event to PCAP_READ_EVENTS
libnsock event_new(): event_new (IOD #NULL) (EID #52)
libnsock nsock_timer_create(): Timer created - 1000ms from now.  EID 52
libnsock nsock_pool_add_event(): NSE #52: Adding event (timeout in 1000ms)
libnsock nsock_loop(): nsock_loop() started (timeout=1001ms). 5 events pending
libnsock iocp_loop(): wait for events
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #45)
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #37)
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #21)
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #13)
libnsock iocp_loop(): wait for events
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #45)
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read READ (IOD #1) (EID #45) size=60
libnsock iocp_loop(): wait for events
libnsock do_actual_pcap_read(): PCAP do_actual_pcap_read TEST (IOD #1) (EID #45)
Assertion failed: fs_length(&(nse->iobuf)) == 0, file src\nsock_pcap.c, line 418

Example of bad area of code, iocp_loop() calls pcap_read_on_nonselect() to check if there's any available PCAP data, and if not, it's supposed to do the appropriate IOCP stuff to get any other events, but the else is dangling. The engine_select.c code where this appears to be copied from has the subsequent code indented in a { block }.

Furthermore, the function iterate_through_event_lists() does not appear to do anything related to PCAP. It should probably call handle_pcap_read_result() either directly or via process_iod_events().

[gvanem]

What does GetQueuedCompletionStatusEx() == -1 and WSAGetLastError() == WAIT_TIMEOUT signify?

Maybe the associated iobuf for the event should be cleared. Or could there be several events fighting for the same iobuf?
I've given up trying to understand the messy internal event-structures in Nmap.