Fix sign and width issues around max_ips_to_scan. Fixes nmap#2838. Fixes nmap#2836

Author: bonsaiviking

NmapOps.h

@@ -226,8 +226,8 @@ class NmapOps {
   /* Gets the spoofed MAC address, but returns NULL if it hasn't been set */
   const u8 *spoofMACAddress() { return spoof_mac_set? spoof_mac : NULL; }
 
-  unsigned int max_ips_to_scan; // Used for Random input (-iR) to specify how
-                       // many IPs to try before stopping. 0 means unlimited.
+  unsigned long max_ips_to_scan; // Used for Random input (-iR) to specify how
+                       // many IPs to try before stopping. 0 means unlimited if generate_random_ips is true
   int extra_payload_length; /* These two are for --data-length op */
   char *extra_payload;
   unsigned long host_timeout;

TargetGroup.cc

@@ -126,15 +126,21 @@ class NetBlockRandomIPv4 : public NetBlock {
 public:
   NetBlockRandomIPv4();
 
-  void reject_last_host() { count++; }
-  void set_num_random(int num) { count = num; }
+  void reject_last_host() { if (!infinite) count++; }
+  void set_num_random(unsigned long num) {
+    if (num == 0)
+      infinite = true;
+    else
+      count = num;
+  }
   bool next(struct sockaddr_storage *ss, size_t *sslen);
   void apply_netmask(int bits) {}
   std::string str() const {return "Random IPv4 addresses";}
 
 private:
   struct sockaddr_in base;
-  int count;
+  unsigned long count;
+  bool infinite;
 };
 
 class NetBlockIPv4Ranges : public NetBlock {
@@ -352,21 +358,25 @@ bool NetBlock::is_resolved_address(const struct sockaddr_storage *ss) const {
   return false;
 }
 
-NetBlockRandomIPv4::NetBlockRandomIPv4() : count(0) {
+NetBlockRandomIPv4::NetBlockRandomIPv4() : count(0), infinite(false) {
   memset(&base, 0, sizeof(base));
   base.sin_family = AF_INET;
 }
 
 bool NetBlockRandomIPv4::next(struct sockaddr_storage *ss, size_t *sslen) {
-  if (count <= 0) {
-    return false;
+  if (!infinite) {
+    if (count > 0) {
+      count--;
+    }
+    else {
+      return false;
+    }
   }
   do {
     base.sin_addr.s_addr = get_random_unique_u32();
   } while (ip_is_reserved(&base.sin_addr));
   memcpy(ss, &base, sizeof(base));
   *sslen = sizeof(base);
-  count--;
   return true;
 }
 
@@ -861,7 +871,7 @@ bool TargetGroup::load_expressions(HostGroupState *hs, int af) {
   return !netblocks.empty();
 }
 
-void TargetGroup::generate_random_ips(int num_random) {
+void TargetGroup::generate_random_ips(unsigned long num_random) {
   NetBlockRandomIPv4 *nbrand = new NetBlockRandomIPv4();
   nbrand->set_num_random(num_random);
   netblocks.push_front(nbrand);

TargetGroup.h

@@ -98,7 +98,7 @@ class TargetGroup {
   const std::list<struct sockaddr_storage> &get_unscanned_addrs(void) const;
   /* is the current expression a named host */
   int get_namedhost() const;
-  void generate_random_ips(int num_random);
+  void generate_random_ips(unsigned long num_random);
   void reject_last_host();
 
   private:

targets.cc

@@ -285,7 +285,7 @@ bool target_needs_new_hostgroup(Target **targets, int targets_sz, const Target *
    The target_expressions array MUST REMAIN VALID IN MEMORY as long as
    this class instance is used -- the array is NOT copied.
  */
-HostGroupState::HostGroupState(int lookahead, int rnd, int num_random, int argc, const char **argv) {
+HostGroupState::HostGroupState(int lookahead, int rnd, unsigned long num_random, int argc, const char **argv) {
   assert(lookahead > 0);
   this->argc = argc;
   this->argv = argv;
@@ -296,7 +296,7 @@ HostGroupState::HostGroupState(int lookahead, int rnd, int num_random, int argc,
   current_batch_sz = 0;
   next_batch_no = 0;
   randomize = rnd;
-  if (num_random > 0) {
+  if (num_random >= 0) {
     current_group.generate_random_ips(num_random);
   }
 }
@@ -414,8 +414,8 @@ static Target *setup_target(const HostGroupState *hs,
 }
 
 bool HostGroupState::get_next_host(struct sockaddr_storage *ss, size_t *sslen, struct addrset *exclude_group) {
-  int num_queued = o.numhosts_scanned + current_batch_sz;
-  if (o.max_ips_to_scan > 0 && num_queued >= (int)o.max_ips_to_scan) {
+  unsigned long num_queued = o.numhosts_scanned + current_batch_sz;
+  if (o.max_ips_to_scan > 0 && num_queued >= o.max_ips_to_scan) {
     return false;
   }
 

targets.h

@@ -74,7 +74,7 @@ class HostGroupState {
   /* The maximum number of entries we want to allow storing in defer_buffer. */
   static const unsigned int DEFER_LIMIT = 64;
 
-  HostGroupState(int lookahead, int randomize, int num_random, int argc, const char *argv[]);
+  HostGroupState(int lookahead, int randomize, unsigned long num_random, int argc, const char *argv[]);
   ~HostGroupState();
   Target **hostbatch;