Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Lua/NSE math.random argument error in qscan.nse #1037

u0m3 opened this Issue Oct 15, 2017 · 3 comments


None yet
2 participants

u0m3 commented Oct 15, 2017

The qscan.nse has an issue with the second argument in math.random being a non-integer. Example output below (some output removed):

$ nmap -v -d --script qscan --script-args qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10
wpcap.dll present, library version: Npcap version 0.93, based on libpcap version 1.8.1

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 18:39 GTB Daylight Time
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
NSE: Using Lua 5.3.
NSE: Arguments from CLI: qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10
NSE: Arguments parsed: qscan.confidence=0.95,qscan.delay=200ms,qscan.numtrips=10
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:39
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:39
NSE: Starting qscan against
NSE: qscan against threw an error!
C:\Program Files (x86)\Nmap/scripts\qscan.nse:489: bad argument #2 to 'random' (number has no integer representation)
stack traceback:
        [C]: in function 'math.random'
        C:\Program Files (x86)\Nmap/scripts\qscan.nse:489: in function <C:\Program Files (x86)\Nmap/scripts\qscan.nse:411>
        (...tail calls...)


The problem occurs in https://github.com/nmap/nmap/blob/master/scripts/qscan.nse#L487-L492 because delay is a non-integer (in this example, 200ms is parsed as 0.2, the value in seconds) and according to http://lua-users.org/wiki/MathLibraryTutorial all arguments of math.random are expected to be integers.

A quick fix/work-around would be to replace the calls with something like

      if rtt < (3 * delay) / 2 then
        if rtt < (delay / 2) then
          stdnse.sleep(((delay / 2) + math.random(0, delay*1000)/1000 - rtt))
          stdnse.sleep(math.random(((3 * delay) / 2 - rtt)*1000)/1000)

I chose 1000 as a value because according to https://github.com/nmap/nmap/blob/master/nselib/stdnse.lua#L60-L69 stdnse.sleep has millisecond resolution.

Please give the referenced patch a spin and report any issues.

u0m3 commented Oct 17, 2017

Can be closed as it is elegantly fixed by #1038

Let's leave it open until the patch gets committed, just in case. I will close it with a proper auto-closing annotation in the commit message.

@nmap-bot nmap-bot closed this in 5fa53d0 Oct 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment