ocasionally panic when running host discovery concurrently

[iuliu8899]

Naabu version: v2.3.1

Current Behavior:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x104608420]

goroutine 36 [running]:
net.(*IPConn).WriteTo(0x0, {0x1400126c150, 0x18, 0x18}, {0x105ed7960, 0x14000676b70})
	/Users/qq/go/pkg/mod/golang.org/[email protected]/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x1400128a8c0, 0xe}, {0x105ee2a90, 0x0}, {0x14001007928, 0x1, 0x1})
	/Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/[email protected]/pkg/scan/scan_unix.go:455 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x14000324be0, {0x1400128a8c0, 0xe}, 0x1400134d170, 0x0)
	/Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/[email protected]/pkg/scan/scan_unix.go:245 +0xfe0
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x14000324be0, {0x1400128a8c0, 0xe}, 0x1400134d170, 0x0)
	/Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/[email protected]/pkg/scan/scan_unix.go:164 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
	/Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/[email protected]/pkg/scan/scan_unix.go:152 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
	/Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/[email protected]/pkg/scan/scan_unix.go:119 +0x1504

Debugger finished with the exit code 0

Expected Behavior:

Steps To Reproduce:

func TestAliveScanIpConcurrently(t *testing.T) {
	var wg sync.WaitGroup
	ips := make([]string, 0)
	cidr := "192.168.110.32/28"
	if ipStream, err := mapcidr.IPAddressesAsStream(cidr); err == nil {
		for ip := range ipStream {
			ips = append(ips, ip)
		}
	} else {
		t.Error(err)
	}
	aliveIp := make([]string, 0)
	lock := sync.Mutex{}
	for _, ck := range lo.Chunk(ips, 5) {
		wg.Add(1)
		ck := ck
		go func() {
			defer wg.Done()
			res := IpAliveScan(ck)
			lock.Lock()
			defer lock.Unlock()
			aliveIp = append(aliveIp, lo.Intersect(ck, res)...)
			//t.Log(res)
		}()
	}
	wg.Wait()
	t.Log(aliveIp)
}


func IpAliveScan(hosts []string) []string {
	var res []string
	var resultLock sync.Mutex
	options := runner.Options{
		Host:              hosts,
		ScanType:          runner.SynScan,
		OnlyHostDiscovery: true,
		OnResult: func(hr *result.HostResult) {
			resultLock.Lock()
			defer resultLock.Unlock()
			res = append(res, hr.Host)
		},
		DisableUpdateCheck: true,
		Retries: runner.DefaultRetriesSynScan,
		Rate:                        runner.DefaultRateSynScan,
		Threads:                     25,
		Timeout:                     runner.DefaultPortTimeoutSynScan,
		WarmUpTime:                  2,
		IcmpEchoRequestProbe:        true,
		IcmpAddressMaskRequestProbe: true,
		IcmpTimestampRequestProbe:   true,
		ArpPing:                     true,
		TcpAckPingProbes:            []string{"80", "443", "8080", "8443"},
		TcpSynPingProbes:            []string{"80", "443", "8080", "8443"},
	}

	naabuRunner, err := runner.NewRunner(&options)
	if err != nil {
		return nil
	}
	defer naabuRunner.Close()

	err = naabuRunner.RunEnumeration(context.Background())
	if err != nil {
		return nil
	}
	return res
}

Anything else:

easily reproduce it by using a larger cidr address

[dogancanbakir]

I couldn't repro the issue - used the dev branch for testing.

[iuliu8899]

I couldn't repro the issue - used the dev branch for testing.

... idk why, but I reproduce that in dev branch as well.

here is the path when panic occurred:

1. log "syn scan is not possible, falling back to connect scan" (scan.go, line: 173)
2. change scan type to "c", then acquire handler again
3. call NewListenHandler() at scan_common.go, line: 51
4. NewListenHandler does not init TcpConn4 chan
5. sendWithConn(ip, listenHandler.TcpConn4, &tcp) called at scan_unix.go, line: 245
6. conn.WriteTo(buf.Bytes(), &net.IPAddr{IP: net.ParseIP(destIP)}) called at scan_unix.go, line: 455
7. panic at !c.ok() at go/src/net/iprawsocket.go, line: 171

idk why it panic, since c.ok() checks nil pointer... but it happens.

my device is Apple M1 Pro, macOS 14.5, go version go1.21.8 darwin/arm64.

[dogancanbakir]

Still the same for me.

@RamanaReddy0M Can you also try to reproduce this, please? Thanks!

[RamanaReddy0M]

I'm also couldn't reproduce the issue - dev branch

[dogancanbakir]

@iuliu8899 Can you provide the specific error message that appears when you attempt to use the dev branch?

[iuliu8899]

GOROOT=/usr/local/go #gosetup
GOPATH=/Users/qq/go #gosetup
GONOPROXY= #gosetup
/usr/local/go/bin/go test -c -o /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -gcflags all=-N -l test #gosetup
/usr/local/go/bin/go tool test2json -t /Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv --listen=127.0.0.1:56190 --headless=true --api-version=2 --check-go-version=false --only-same-user=false exec /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -- -test.v -test.paniconexit0 -test.run ^\QTestAliveScanIpConcurrently\E$
API server listening at: 127.0.0.1:56190
=== RUN   TestAliveScanIpConcurrently
[INF] Running host discovery scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] syn scan is not possible, falling back to connect scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] Running host discovery scan
[INF] Found alive host 192.168.110.112 (192.168.110.112)
192.168.110.112
[INF] Found alive host 192.168.110.42 (192.168.110.42)
192.168.110.42
[INF] Found alive host 192.168.110.43 (192.168.110.43)
192.168.110.43
[INF] Found alive host 192.168.110.32 (192.168.110.32)
192.168.110.32
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x104c45a90]

goroutine 31 [running]:
net.(*IPConn).WriteTo(0x0, {0x14000026c90, 0x18, 0x18}, {0x106557680, 0x14000309710})
	/usr/local/go/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x140010293a0, 0xe}, {0x106562850, 0x0}, {0x14001119928, 0x1, 0x1})
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:455 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x140005f86e0, {0x140010293a0, 0xe}, 0x14000b13038, 0x0)
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:245 +0xfe0
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x140005f86e0, {0x140010293a0, 0xe}, 0x14000b13038, 0x0)
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:164 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:152 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:119 +0x1504

Debugger finished with the exit code 0

@dogancanbakir @RamanaReddy0M

[dogancanbakir]

@iuliu8899 I've pushed a brand called debug_nil_deref. Can you please try with that branch and send us the output? Thanks!

[iuliu8899]

GOROOT=/usr/local/go #gosetup
GOPATH=/Users/qq/go #gosetup
GONOPROXY= #gosetup
/usr/local/go/bin/go test -c -o /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -gcflags all=-N -l test #gosetup
/usr/local/go/bin/go tool test2json -t /Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv --listen=127.0.0.1:64480 --headless=true --api-version=2 --check-go-version=false --only-same-user=false exec /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -- -test.v -test.paniconexit0 -test.run ^\QTestAliveScanIpConcurrently\E$
API server listening at: 127.0.0.1:64480
[INF] Initialized TcpConn4: &{{0x14000c3a300}}
[INF] Initialized UdpConn4: &{{0x14000c3a380}}
[INF] Initialized TcpConn6: &{{0x14000c3a400}}
[INF] Initialized UdpConn6: &{{0x14000c3a480}}
=== RUN   TestAliveScanIpConcurrently
[INF] Running host discovery scan
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] syn scan is not possible, falling back to connect scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] TcpConn4 before sendWithConn: <nil>
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1027c1490]

goroutine 15 [running]:
net.(*IPConn).WriteTo(0x0, {0x14000c92060, 0x18, 0x18}, {0x1040d3680, 0x14000d1a450})
	/usr/local/go/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x14000a9f190, 0xe}, {0x1040de850, 0x0}, {0x14000d7f900, 0x1, 0x1})
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:465 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x140006a4b40, {0x14000a9f190, 0xe}, 0x14000c391a0, 0x0)
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:252 +0x1070
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x140006a4b40, {0x14000a9f190, 0xe}, 0x14000c391a0, 0x0)
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:170 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:158 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
	/Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:125 +0x1744

Debugger finished with the exit code 0

@dogancanbakir

[b0bleet]

same problem here:

[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x54ccc7]

goroutine 39 [running]:
net.(*IPConn).WriteTo(0x0?, {0xc003932678?, 0xc003935e94?, 0xc000cd8c30?}, {0x1cd2050?, 0xc0039463f0?})
	/usr/local/go/src/net/iprawsock.go:171 +0x27
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0xc003935e94, 0xc}, {0x1cdee80, 0x0}, {0xc000cd8c30, 0x1, 0x1})
	/go/pkg/mod/github.com/b0bleet/naabu/[email protected]/pkg/scan/scan_unix.go:455 +0x1cf
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0xc00287ff40, {0xc003935e94, 0xc}, 0xc0006f4e10, 0x0)
	/go/pkg/mod/github.com/b0bleet/naabu/[email protected]/pkg/scan/scan_unix.go:245 +0x8f5
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x6?, {0xc003935e94, 0xc}, 0xc0006f4e10, 0x0?)
	/go/pkg/mod/github.com/b0bleet/naabu/[email protected]/pkg/scan/scan_unix.go:164 +0x11e
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
	/go/pkg/mod/github.com/b0bleet/naabu/[email protected]/pkg/scan/scan_unix.go:152 +0x4b
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
	/go/pkg/mod/github.com/b0bleet/naabu/[email protected]/pkg/scan/scan_unix.go:119 +0xdc6

[b0bleet]

@dogancanbakir snippet to reproduce the issue:

package main

import (
	"context"
	"fmt"
	"log"
	"sync"

	"github.com/projectdiscovery/goflags"
	"github.com/projectdiscovery/naabu/v2/pkg/result"
	"github.com/projectdiscovery/naabu/v2/pkg/runner"
)

func main() {
	var wg sync.WaitGroup

	for range 10 {
		wg.Add(1)
		go func() {
			defer wg.Done()

			options := runner.Options{
				Host: goflags.StringSlice{"127.0.0.1"},
				// OnlyHostDiscovery: true,
				ScanType: "s",
				OnResult: func(hr *result.HostResult) {
					fmt.Println(hr)
				},
				Timeout:           5 * 60,
				WarmUpTime:        10,
				TopPorts:          "100",
				SkipHostDiscovery: true,
			}

			naabuRunner, err := runner.NewRunner(&options)
			if err != nil {
				log.Fatal(err)
			}
			defer naabuRunner.Close()

			naabuRunner.RunEnumeration(context.Background())
		}()
	}

	wg.Wait()
}

To address this, I implemented a quick fix that introduces a retry mechanism when acquiring the listener handler. This change mitigates the issue by ensuring the handler is properly acquired before proceeding with the scan:
commit

[dogancanbakir]

@b0bleet Still, can't repro the issue. This is the output:

$ go run .
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
[INF] Running CONNECT scan with non root privileges
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
127.0.0.1:5000
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}
[INF] Found 1 ports on host 127.0.0.1 (127.0.0.1)
&{127.0.0.1 127.0.0.1 [5000-0-false] 0}

[iuliu8899]

@dogancanbakir could u please try that with root priviledge? (Only priviledged user can send syn packet)

I can run this snippet properly with user but not root.

[b0bleet]

@dogancanbakir you should try with root privilege

[dogancanbakir]

Thanks, I reproduced the issue. Just to let you know, it works when running in sequence. I'll further investigate it

[b0bleet]

I fixed in the following commit, you can check that:
https://github.com/b0bleet/naabu/blob/75c564a03a25af979676e3a73e7bc18ecd7ef443/v2/pkg/scan/scan.go#L171-L174

[dogancanbakir]

This is fixed in #1233.