Launches the plugins, and manages multithreading. More...

#include "attack.h"
#include "../misc/ipc_openvas.h"
#include "../misc/kb_cache.h"
#include "../misc/network.h"
#include "../misc/nvt_categories.h"
#include "../misc/pcap_openvas.h"
#include "../misc/plugutils.h"
#include "../misc/table_driven_lsc.h"
#include "../misc/user_agent.h"
#include "../nasl/nasl_debug.h"
#include "hosts.h"
#include "pluginlaunch.h"
#include "pluginload.h"
#include "pluginscheduler.h"
#include "plugs_req.h"
#include "processes.h"
#include "sighand.h"
#include "utils.h"
#include <arpa/inet.h>
#include <bsd/unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <glib.h>
#include <gvm/base/hosts.h>
#include <gvm/base/networking.h>
#include <gvm/base/prefs.h>
#include <gvm/boreas/alivedetection.h>
#include <gvm/boreas/boreas_io.h>
#include <gvm/util/mqtt.h>
#include <gvm/util/nvticache.h>
#include <pthread.h>
#include <signal.h>
#include <string.h>
#include <sys/wait.h>
#include <unistd.h>

Include dependency graph for attack.c:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	attack_start_args

Macros
#define	ERR_HOST_DEAD -1

#define	MAX_FORK_RETRIES 10

#define	KB_RETRY_DELAY 3 /In sec/

#define	INVALID_TARGET_LIST "-1"

#define	G_LOG_DOMAIN "sd main"
	GLib log domain.

Functions
static int	connect_main_kb (kb_t *main_kb)
	Connect to the main kb. Must be released with kb_lnk_reset() after use.

static void	set_kb_readable (int host_kb_index)
	Add the Host KB index to the list of readable KBs used by ospd-openvas.

static void	set_scan_status (char *status)
	Set scan status. This helps ospd-openvas to identify if a scan crashed or finished cleanly.

static int	comm_send_status_host_dead (kb_t main_kb, char *ip_str)
	Send status to the client that the host is dead.

static int	comm_send_status (kb_t main_kb, char *ip_str, int curr, int max)
	Sends the progress status of of a host's scan.

static void	message_to_client (kb_t kb, const char msg, const char ip_str, const char port, const char type)

static void	report_kb_failure (int errcode)

static void	fork_sleep (int n)

static void	scan_stop_cleanup (void)

static int	scan_is_stopped (void)

static int	nvti_category_is_safe (int category)
	Checks that an NVT category is safe.

static void	append_vhost (const char vhost, const char source)

static int	run_table_driven_lsc (const char scan_id, kb_t kb, const char ip_str, const char *hostname)
	Publish the necessary data to start a Table driven LSC scan.

static void	process_ipc_data (const gchar *result)

static void	read_ipc (struct ipc_context *ctx)

static int	launch_plugin (struct scan_globals globals, struct scheduler_plugin plugin, struct in6_addr ip, GSList vhosts, struct attack_start_args *args)
	Launches a nvt. Respects safe check preference (i.e. does not try.

static void	attack_host (struct scan_globals globals, struct in6_addr ip, struct attack_start_args *args)
	Attack one host.

static char *	vhosts_to_str (GSList *list)

static void	check_deprecated_prefs (void)
	Check if any deprecated prefs are in pref table and print warning.

static int	host_authorized (const gvm_host_t host, const struct in6_addr addr, const gvm_hosts_t hosts_allow, const gvm_hosts_t hosts_deny)

static int	check_host_authorization (gvm_host_t host, const struct in6_addr addr)

static void	attack_start (struct ipc_context ipcc, struct attack_start_args args)
	Set up some data and jump into attack_host()

static void	apply_hosts_excluded (gvm_hosts_t *hosts)

static void	apply_hosts_preferences_ordering (gvm_hosts_t *hosts)

static int	apply_hosts_reverse_lookup_preferences (gvm_hosts_t *hosts)

static int	check_kb_access (void)

static void	set_alive_detection_tid (pthread_t tid)

static pthread_t	get_alive_detection_tid ()

static gboolean	ad_thread_joined (gboolean joined)
	Set and get if alive detection thread was already joined by main thread.

static void	handle_scan_stop_signal ()

void	attack_network (struct scan_globals *globals)
	Attack a whole network.

Variables
int	global_scan_stop = 0

static kb_t	host_kb = NULL

static GSList *	host_vhosts = NULL

static pthread_t	alive_detection_tid

Detailed Description

Launches the plugins, and manages multithreading.

Definition in file attack.c.

Macro Definition Documentation

◆ ERR_HOST_DEAD

#define ERR_HOST_DEAD -1

Definition at line 51 of file attack.c.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN "sd main"

GLib log domain.

Definition at line 67 of file attack.c.

◆ INVALID_TARGET_LIST

#define INVALID_TARGET_LIST "-1"

Define value to be sent to the client for invalid target list.

Definition at line 61 of file attack.c.

◆ KB_RETRY_DELAY

#define KB_RETRY_DELAY 3 /*In sec*/

Wait KB_RETRY_DELAY seconds until trying again to get a new kb.

Definition at line 57 of file attack.c.

◆ MAX_FORK_RETRIES

#define MAX_FORK_RETRIES 10

Definition at line 53 of file attack.c.

Function Documentation

◆ ad_thread_joined()

static gboolean ad_thread_joined ( gboolean joined )

static

Set and get if alive detection thread was already joined by main thread.

The status can only be set to TRUE once in the lifetime of the program and retrieved as often as needed. After it is set to TRUE it can not be unset.

Parameters

joined TRUE to set status to joined and FALSE to retrieve status of join.

Returns: Returns true if thread was already joined.

Definition at line 1179 of file attack.c.

{
  static gboolean alive_detection_thread_already_joined = FALSE;
  if (joined)
    alive_detection_thread_already_joined = TRUE;
  return alive_detection_thread_already_joined;
}

Referenced by attack_network(), and scan_stop_cleanup().

Here is the caller graph for this function:

◆ append_vhost()

static void append_vhost	(	const char *	vhost,
		const char *	source
	)

static

Definition at line 293 of file attack.c.

{
  GSList *vhosts = NULL;
  vhosts = host_vhosts;
  assert (source);
  assert (vhost);
  while (vhosts)
    {
      gvm_vhost_t *tmp = vhosts->data;
 
      if (!strcmp (tmp->value, vhost))
        {
          g_info ("%s: vhost '%s' exists already", __func__, vhost);
          return;
        }
      vhosts = vhosts->next;
    }
  host_vhosts = g_slist_append (
    host_vhosts, gvm_vhost_new (g_strdup (vhost), g_strdup (source)));
  g_info ("%s: add vhost '%s' from '%s'", __func__, vhost, source);
}

References host_vhosts.

Referenced by process_ipc_data().

Here is the caller graph for this function:

◆ apply_hosts_excluded()

static void apply_hosts_excluded ( gvm_hosts_t * hosts )

static

Definition at line 997 of file attack.c.

{
  const char *exclude_hosts = prefs_get ("exclude_hosts");
 
  /* Exclude hosts ? */
  if (exclude_hosts)
    {
      /* Exclude hosts, resolving hostnames. */
      int ret = gvm_hosts_exclude (hosts, exclude_hosts);
 
      if (ret > 0)
        g_message ("exclude_hosts: Skipped %d host(s).", ret);
      if (ret < 0)
        g_message ("exclude_hosts: Error.");
    }
}

References hosts.

Referenced by attack_network().

Here is the caller graph for this function:

◆ apply_hosts_preferences_ordering()

static void apply_hosts_preferences_ordering ( gvm_hosts_t * hosts )

static

Definition at line 1064 of file attack.c.

{
  const char *ordering = prefs_get ("hosts_ordering");
 
  /* Hosts ordering strategy: sequential, random, reversed... */
  if (ordering)
    {
      if (!strcmp (ordering, "random"))
        {
          gvm_hosts_shuffle (hosts);
          g_debug ("hosts_ordering: Random.");
        }
      else if (!strcmp (ordering, "reverse"))
        {
          gvm_hosts_reverse (hosts);
          g_debug ("hosts_ordering: Reverse.");
        }
    }
  else
    g_debug ("hosts_ordering: Sequential.");
}

References hosts.

Referenced by attack_network().

Here is the caller graph for this function:

◆ apply_hosts_reverse_lookup_preferences()

static int apply_hosts_reverse_lookup_preferences ( gvm_hosts_t * hosts )

static

Definition at line 1087 of file attack.c.

{
#ifdef FEATURE_REVERSE_LOOKUP_EXCLUDED
  const char *exclude_hosts = prefs_get ("exclude_hosts");
  int hosts_excluded = 0;
 
  if (prefs_get_bool ("reverse_lookup_unify"))
    {
      gvm_hosts_t *excluded;
 
      excluded = gvm_hosts_reverse_lookup_unify_excluded (hosts);
      g_debug ("reverse_lookup_unify: Skipped %zu host(s).", excluded->count);
 
      // Get the amount of hosts which are excluded now for this option,
      // but they are already in the exclude list.
      // This is to avoid issues with the scan progress calculation, since
      // the amount of excluded host could be duplicated.
      hosts_excluded += gvm_hosts_exclude (excluded, exclude_hosts);
 
      gvm_hosts_free (excluded);
    }
 
  if (prefs_get_bool ("reverse_lookup_only"))
    {
      gvm_hosts_t *excluded;
 
      excluded = gvm_hosts_reverse_lookup_only_excluded (hosts);
      g_debug ("reverse_lookup_unify: Skipped %zu host(s).", excluded->count);
      // Get the amount of hosts which are excluded now for this option,
      // but they are already in the exclude list.
      // This is to avoid issues with the scan progress calculation, since
      // the amount of excluded host could be duplicated.
      hosts_excluded += gvm_hosts_exclude (excluded, exclude_hosts);
      gvm_hosts_free (excluded);
    }
  return exclude_hosts ? hosts_excluded : 0;
#else
  /* Reverse-lookup unify ? */
  if (prefs_get_bool ("reverse_lookup_unify"))
    g_debug ("reverse_lookup_unify: Skipped %d host(s).",
             gvm_hosts_reverse_lookup_unify (hosts));
 
  /* Hosts that reverse-lookup only ? */
  if (prefs_get_bool ("reverse_lookup_only"))
    g_debug ("reverse_lookup_only: Skipped %d host(s).",
             gvm_hosts_reverse_lookup_only (hosts));
 
  return 0;
#endif
}

References hosts.

Referenced by attack_network().

Here is the caller graph for this function:

◆ attack_host()

static void attack_host	(	struct scan_globals *	globals,
		struct in6_addr *	ip,
		struct attack_start_args *	args
	)

static

Attack one host.

Definition at line 630 of file attack.c.

{
  /* Used for the status */
  int num_plugs, forks_retry = 0, all_plugs_launched = 0;
  char ip_str[INET6_ADDRSTRLEN];
  struct scheduler_plugin *plugin;
  pid_t parent;
 
  addr6_to_str (ip, ip_str);
  host_kb = args->host_kb;
  host_vhosts = args->host->vhosts;
  globals->host_pid = getpid ();
  host_set_time (get_main_kb (), ip_str, "HOST_START");
  kb_lnk_reset (get_main_kb ());
  setproctitle ("openvas: testing %s", ip_str);
  kb_lnk_reset (args->host_kb);
 
  /* launch the plugins */
  pluginlaunch_init (ip_str);
  num_plugs = plugins_scheduler_count_active (args->sched);
  for (;;)
    {
      /* Check that our father is still alive */
      parent = getppid ();
      if (parent <= 1 || process_alive (parent) == 0)
        {
          pluginlaunch_stop ();
          return;
        }
 
      if (check_kb_inconsistency (get_main_kb ()) != 0)
        {
          // We send the stop scan signal to the current parent process
          // group, which is the main scan process and host processes.
          // This avoid to attack new hosts and force the running host
          // process to finish and spread the signal to the plugin processes
          // To prevent duplicate results we don't let ACT_END run.
          killpg (parent, SIGUSR1);
        }
 
      if (scan_is_stopped ())
        plugins_scheduler_stop (args->sched);
 
      plugin = plugins_scheduler_next (args->sched);
      if (plugin != NULL && plugin != PLUG_RUNNING)
        {
          int e;
          static int last_status = 0, cur_plug = 0;
 
        again:
          e = launch_plugin (globals, plugin, ip, host_vhosts, args);
          if (e < 0)
            {
              /*
               * Remote host died
               */
              if (e == ERR_HOST_DEAD)
                {
                  char buffer[2048];
 
                  snprintf (
                    buffer, sizeof (buffer),
                    "LOG|||%s||| |||general/Host_Details||| |||<host><detail>"
                    "<name>Host dead</name><value>1</value><source>"
                    "<description/><type/><name/></source></detail></host>",
                    ip_str);
                  kb_item_push_str_with_main_kb_check (
                    get_main_kb (), "internal/results", buffer);
 
                  comm_send_status_host_dead (get_main_kb (), ip_str);
                  goto host_died;
                }
              else if (e == ERR_NO_FREE_SLOT)
                {
                  if (forks_retry < MAX_FORK_RETRIES)
                    {
                      forks_retry++;
                      g_warning ("Launch failed for %s. No free slot available "
                                 "in the internal process table for starting a "
                                 "plugin.",
                                 plugin->oid);
                      fork_sleep (forks_retry);
                      goto again;
                    }
                }
              else if (e == ERR_CANT_FORK)
                {
                  if (forks_retry < MAX_FORK_RETRIES)
                    {
                      forks_retry++;
                      g_warning (
                        "fork() failed for %s - sleeping %d seconds (%s)",
                        plugin->oid, forks_retry, strerror (errno));
                      fork_sleep (forks_retry);
                      goto again;
                    }
                  else
                    {
                      g_warning ("fork() failed too many times - aborting");
                      goto host_died;
                    }
                }
            }
 
          if ((cur_plug * 100) / num_plugs >= last_status
              && !scan_is_stopped ())
            {
              last_status = (cur_plug * 100) / num_plugs + 2;
              if (comm_send_status (get_main_kb (), ip_str, cur_plug, num_plugs)
                  < 0)
                goto host_died;
            }
          cur_plug++;
        }
      else if (plugin == NULL)
        break;
      else if (plugin != NULL && plugin == PLUG_RUNNING)
        /* 50 milliseconds. */
        usleep (50000);
      pluginlaunch_wait_for_free_process (get_main_kb (), args->host_kb);
    }
 
  if (!scan_is_stopped () && prefs_get_bool ("table_driven_lsc")
      && prefs_get_bool ("mqtt_enabled"))
    {
      if (run_table_driven_lsc (globals->scan_id, args->host_kb, ip_str, NULL))
        {
          char buffer[2048];
          snprintf (
            buffer, sizeof (buffer),
            "ERRMSG|||%s||| ||| ||| ||| Unable to launch table driven lsc",
            ip_str);
          kb_item_push_str_with_main_kb_check (get_main_kb (),
                                               "internal/results", buffer);
          g_warning ("%s: Unable to launch table driven LSC", __func__);
        }
    }
 
  pluginlaunch_wait (get_main_kb (), args->host_kb);
  if (!scan_is_stopped ())
    {
      int ret;
      ret = comm_send_status (get_main_kb (), ip_str, num_plugs, num_plugs);
      if (ret == 0)
        all_plugs_launched = 1;
    }
 
host_died:
  if (all_plugs_launched == 0 && !scan_is_stopped ())
    g_message ("Vulnerability scan %s for host %s: not all plugins "
               "were launched",
               globals->scan_id, ip_str);
  pluginlaunch_stop ();
  plugins_scheduler_free (args->sched);
  host_set_time (get_main_kb (), ip_str, "HOST_END");
}

References check_kb_inconsistency(), comm_send_status(), comm_send_status_host_dead(), ERR_CANT_FORK, ERR_HOST_DEAD, ERR_NO_FREE_SLOT, fork_sleep(), get_main_kb(), attack_start_args::host, attack_start_args::host_kb, host_kb, scan_globals::host_pid, host_set_time(), host_vhosts, kb_item_push_str_with_main_kb_check(), launch_plugin(), MAX_FORK_RETRIES, scheduler_plugin::oid, PLUG_RUNNING, pluginlaunch_init(), pluginlaunch_stop(), pluginlaunch_wait(), pluginlaunch_wait_for_free_process(), plugins_scheduler_count_active(), plugins_scheduler_free(), plugins_scheduler_next(), plugins_scheduler_stop(), process_alive(), run_table_driven_lsc(), scan_globals::scan_id, scan_is_stopped(), and attack_start_args::sched.

Referenced by attack_start().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ attack_network()

void attack_network ( struct scan_globals * globals )

Attack a whole network.

Definition at line 1247 of file attack.c.

{
  int max_hosts = 0, max_checks;
  const char *hostlist;
  gvm_host_t *host;
  plugins_scheduler_t sched;
  int fork_retries = 0;
  GHashTable *files;
  struct timeval then, now;
  gvm_hosts_t *hosts;
  const gchar *port_range;
  int allow_simultaneous_ips;
  kb_t arg_host_kb, main_kb;
  GSList *unresolved;
  char buf[96];
 
  check_deprecated_prefs ();
 
  gboolean test_alive_hosts_only = prefs_get_bool ("test_alive_hosts_only");
  gvm_hosts_t *alive_hosts_list = NULL;
  kb_t alive_hosts_kb = NULL;
  if (test_alive_hosts_only)
    connect_main_kb (&alive_hosts_kb);
 
  gettimeofday (&then, NULL);
 
  if (check_kb_access ())
    return;
 
  /* Init and check Target List */
  hostlist = prefs_get ("TARGET");
  if (hostlist == NULL)
    {
      return;
    }
 
  /* Verify the port range is a valid one */
  port_range = prefs_get ("port_range");
  if (validate_port_range (port_range))
    {
      connect_main_kb (&main_kb);
      message_to_client (
        main_kb, "Invalid port list. Ports must be in the range [1-65535]",
        NULL, NULL, "ERRMSG");
      kb_lnk_reset (main_kb);
      g_warning ("Invalid port list. Ports must be in the range [1-65535]. "
                 "Scan terminated.");
      set_scan_status ("finished");
 
      return;
    }
 
  /* Initialize the attack. */
  int plugins_init_error = 0;
  sched = plugins_scheduler_init (prefs_get ("plugin_set"),
                                  prefs_get_bool ("auto_enable_dependencies"),
                                  &plugins_init_error);
  if (!sched)
    {
      g_message ("Couldn't initialize the plugin scheduler");
      return;
    }
 
  if (plugins_init_error > 0)
    {
      sprintf (buf,
               "%d errors were found during the plugin scheduling. "
               "Some plugins have not been launched.",
               plugins_init_error);
 
      connect_main_kb (&main_kb);
      message_to_client (main_kb, buf, NULL, NULL, "ERRMSG");
      kb_lnk_reset (main_kb);
    }
 
  max_hosts = get_max_hosts_number ();
  max_checks = get_max_checks_number ();
 
  hosts = gvm_hosts_new (hostlist);
  if (hosts == NULL)
    {
      char *buffer;
      buffer = g_strdup_printf ("Invalid target list: %s.", hostlist);
      connect_main_kb (&main_kb);
      message_to_client (main_kb, buffer, NULL, NULL, "ERRMSG");
      g_free (buffer);
      /* Send the hosts count to the client as -1,
       * because the invalid target list.*/
      message_to_client (main_kb, INVALID_TARGET_LIST, NULL, NULL,
                         "HOSTS_COUNT");
      kb_lnk_reset (main_kb);
      g_warning ("Invalid target list. Scan terminated.");
      goto stop;
    }
 
  unresolved = gvm_hosts_resolve (hosts);
  while (unresolved)
    {
      g_warning ("Couldn't resolve hostname '%s'", (char *) unresolved->data);
      unresolved = unresolved->next;
    }
  g_slist_free_full (unresolved, g_free);
 
  /* Apply Hosts preferences. */
  apply_hosts_preferences_ordering (hosts);
 
  int already_excluded = 0;
  already_excluded = apply_hosts_reverse_lookup_preferences (hosts);
 
#ifdef FEATURE_HOSTS_ALLOWED_ONLY
  // Remove hosts which are denied and/or keep the ones in the allowed host
  // lists
  // for both, user and system wide settings.
  apply_hosts_allow_deny (hosts);
#endif
 
  /* Send the hosts count to the client, after removing duplicated and
   * unresolved hosts.*/
  sprintf (buf, "%d", gvm_hosts_count (hosts) + already_excluded);
  connect_main_kb (&main_kb);
  message_to_client (main_kb, buf, NULL, NULL, "HOSTS_COUNT");
  kb_lnk_reset (main_kb);
 
  // Remove the excluded hosts
  apply_hosts_excluded (hosts);
 
  host = gvm_hosts_next (hosts);
  if (host == NULL)
    goto stop;
  hosts_init (max_hosts);
 
  g_message ("Vulnerability scan %s started: Target has %d hosts: "
             "%s, with max_hosts = %d and max_checks = %d",
             globals->scan_id, gvm_hosts_count (hosts), hostlist, max_hosts,
             max_checks);
 
  if (test_alive_hosts_only)
    {
      /* Boolean signalling if alive detection finished. */
      gboolean ad_finished = FALSE;
      int err;
      pthread_t tid;
      struct in6_addr tmpaddr;
 
      /* Reset the iterator. */
      hosts->current = 0;
      err = pthread_create (&tid, NULL, start_alive_detection, (void *) hosts);
      if (err == EAGAIN)
        g_warning (
          "%s: pthread_create() returned EAGAIN: Insufficient resources "
          "to create thread.",
          __func__);
      set_alive_detection_tid (tid);
      g_debug ("%s: started alive detection.", __func__);
 
      for (host = get_host_from_queue (alive_hosts_kb, &ad_finished);
           !host && !ad_finished && !scan_is_stopped ();
           host = get_host_from_queue (alive_hosts_kb, &ad_finished))
        {
          fork_sleep (1);
        }
 
      if (gvm_host_get_addr6 (host, &tmpaddr) == 0)
        host = gvm_host_find_in_hosts (host, &tmpaddr, hosts);
      if (host)
        {
          g_debug (
            "%s: Get first host to test from Queue. This host is used for "
            "initialising the alive_hosts_list.",
            __func__);
        }
      alive_hosts_list = gvm_hosts_new (gvm_host_value_str (host));
    }
 
  /*
   * Start the attack !
   */
  allow_simultaneous_ips = prefs_get_bool ("allow_simultaneous_ips");
  openvas_signal (SIGUSR1, handle_scan_stop_signal);
  while (host && !scan_is_stopped ())
    {
      int pid, rc;
      struct attack_start_args args;
      char *host_str;
 
      if (!test_alive_hosts_only
          && (!allow_simultaneous_ips && host_is_currently_scanned (host)))
        {
          sleep (1);
          // move the host at the end of the list and get the next host.
          gvm_hosts_move_current_host_to_end (hosts);
          host = gvm_hosts_next (hosts);
          continue;
        }
 
      do
        {
          rc = kb_new (&arg_host_kb, prefs_get ("db_address"));
          if (rc < 0 && rc != -2)
            {
              report_kb_failure (rc);
              goto scan_stop;
            }
          else if (rc == -2)
            {
              sleep (KB_RETRY_DELAY);
              continue;
            }
          break;
        }
      while (1);
 
      host_str = gvm_host_value_str (host);
      connect_main_kb (&main_kb);
      if (hosts_new (host_str, arg_host_kb, main_kb) < 0)
        {
          kb_delete (arg_host_kb);
          g_free (host_str);
          goto scan_stop;
        }
 
      if (scan_is_stopped ())
        {
          kb_delete (arg_host_kb);
          g_free (host_str);
          continue;
        }
 
      args.host = host;
      args.globals = globals;
      args.sched = sched;
      args.host_kb = arg_host_kb;
 
    forkagain:
      pid = create_ipc_process ((ipc_process_func) attack_start, &args);
      /* Close child process' socket. */
      if (pid < 0)
        {
          fork_retries++;
          if (fork_retries > MAX_FORK_RETRIES)
            {
              /* Forking failed - we go to the wait queue. */
              g_warning ("fork() failed - %s. %s won't be tested",
                         strerror (errno), host_str);
              g_free (host_str);
              goto stop;
            }
 
          g_debug ("fork() failed - "
                   "sleeping %d seconds and trying again...",
                   fork_retries);
          fork_sleep (fork_retries);
          goto forkagain;
        }
      hosts_set_pid (host_str, pid);
 
      if (test_alive_hosts_only)
        {
          struct in6_addr tmpaddr;
          gvm_host_t *alive_buf;
 
          while (1)
            {
              /* Boolean signalling if alive detection finished. */
              gboolean ad_finished = FALSE;
              for (host = get_host_from_queue (alive_hosts_kb, &ad_finished);
                   !host && !ad_finished && !scan_is_stopped ();
                   host = get_host_from_queue (alive_hosts_kb, &ad_finished))
                {
                  fork_sleep (1);
                }
 
              if (host && !allow_simultaneous_ips
                  && host_is_currently_scanned (host))
                {
                  struct in6_addr hostip;
                  char ip_str[INET6_ADDRSTRLEN];
                  int flag_set;
 
                  gvm_host_get_addr6 (host, &hostip);
                  addr6_to_str (&hostip, ip_str);
 
                  // Re-add host at the end of the queue and reallocate the flag
                  // if it was already set.
                  flag_set = finish_signal_on_queue (alive_hosts_kb);
 
                  put_host_on_queue (alive_hosts_kb, ip_str);
                  g_debug ("Reallocating the host %s at the end of the queue",
                           ip_str);
 
                  gvm_host_free (host);
                  host = NULL;
 
                  if (flag_set)
                    {
                      g_debug ("Reallocating finish signal in the host queue");
                      realloc_finish_signal_on_queue (alive_hosts_kb);
                    }
                }
              else
                break;
            }
 
          if (host && gvm_host_get_addr6 (host, &tmpaddr) == 0)
            {
              alive_buf = host;
              host = gvm_host_find_in_hosts (host, &tmpaddr, hosts);
              gvm_host_free (alive_buf);
              alive_buf = NULL;
            }
 
          if (host)
            gvm_hosts_add (alive_hosts_list, gvm_duplicate_host (host));
          else
            g_debug ("%s: got NULL host, stop/finish scan", __func__);
        }
      else
        {
          host = gvm_hosts_next (hosts);
        }
      g_free (host_str);
    }
 
  /* Every host is being tested... We have to wait for the processes
   * to terminate. */
  while (hosts_read () == 0)
    if (scan_is_stopped () == 1)
      killpg (getpid (), SIGUSR1);
 
  g_debug ("Test complete");
 
scan_stop:
  /* Free the memory used by the files uploaded by the user, if any. */
  files = globals->files_translation;
  if (files)
    g_hash_table_destroy (files);
 
stop:
 
  if (test_alive_hosts_only)
    {
      int err;
      void *retval;
 
      kb_lnk_reset (alive_hosts_kb);
      g_debug ("%s: free alive detection data ", __func__);
 
      /* need to wait for alive detection to finish */
      g_debug ("%s: waiting for alive detection thread to be finished...",
               __func__);
      /* Join alive detection thread. */
      err = pthread_join (get_alive_detection_tid (), &retval);
      if (err == EDEADLK)
        g_debug ("%s: pthread_join() returned EDEADLK.", __func__);
      if (err == EINVAL)
        g_debug ("%s: pthread_join() returned EINVAL.", __func__);
      if (err == ESRCH)
        g_debug ("%s: pthread_join() returned ESRCH.", __func__);
      if (retval == PTHREAD_CANCELED)
        g_debug ("%s: pthread_join() returned PTHREAD_CANCELED.", __func__);
      /* Set flag signaling that alive deteciton thread was joined. */
      if (err == 0)
        ad_thread_joined (TRUE);
      g_debug ("%s: Finished waiting for alive detection thread.", __func__);
    }
 
  plugins_scheduler_free (sched);
 
  gettimeofday (&now, NULL);
  if (test_alive_hosts_only)
    g_message ("Vulnerability scan %s finished in %ld seconds: "
               "%d alive hosts of %d",
               globals->scan_id, now.tv_sec - then.tv_sec,
               gvm_hosts_count (alive_hosts_list), gvm_hosts_count (hosts));
  else
    g_message ("Vulnerability scan %s finished in %ld seconds: %d hosts",
               globals->scan_id, now.tv_sec - then.tv_sec,
               gvm_hosts_count (hosts));
 
  gvm_hosts_free (hosts);
  if (alive_hosts_list)
    gvm_hosts_free (alive_hosts_list);
 
  set_scan_status ("finished");
}

References ad_thread_joined(), apply_hosts_excluded(), apply_hosts_preferences_ordering(), apply_hosts_reverse_lookup_preferences(), attack_start(), check_deprecated_prefs(), check_kb_access(), connect_main_kb(), create_ipc_process(), scan_globals::files_translation, fork_sleep(), get_alive_detection_tid(), get_max_checks_number(), get_max_hosts_number(), attack_start_args::globals, handle_scan_stop_signal(), attack_start_args::host, host_is_currently_scanned(), attack_start_args::host_kb, hosts, hosts_init(), hosts_new(), hosts_read(), hosts_set_pid(), INVALID_TARGET_LIST, KB_RETRY_DELAY, main_kb, MAX_FORK_RETRIES, message_to_client(), openvas_signal, pid, plugins_scheduler_free(), plugins_scheduler_init(), report_kb_failure(), scan_globals::scan_id, scan_is_stopped(), attack_start_args::sched, set_alive_detection_tid(), set_scan_status(), and timeval().

Referenced by openvas().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ attack_start()

static void attack_start	(	struct ipc_context *	ipcc,
		struct attack_start_args *	args
	)

static

Set up some data and jump into attack_host()

Definition at line 917 of file attack.c.

{
  struct scan_globals *globals = args->globals;
  char ip_str[INET6_ADDRSTRLEN], *hostnames;
  struct in6_addr hostip;
  struct timeval then;
  kb_t kb = args->host_kb;
  kb_t main_kb = get_main_kb ();
  int ret;
  args->ipc_context = ipcc;
 
  nvticache_reset ();
  kb_lnk_reset (kb);
  kb_lnk_reset (main_kb);
  gettimeofday (&then, NULL);
 
  kb_item_set_str_with_main_kb_check (kb, "internal/scan_id", globals->scan_id,
                                      0);
  set_kb_readable (kb_get_kb_index (kb));
 
  /* The reverse lookup is delayed to this step in order to not slow down the
   * main scan process eg. case of target with big range of IP addresses. */
  if (prefs_get_bool ("expand_vhosts"))
    gvm_host_add_reverse_lookup (args->host);
  if ((ret = gvm_vhosts_exclude (args->host, prefs_get ("exclude_hosts"))) > 0)
    g_message ("exclude_hosts: Skipped %d vhost(s).", ret);
  gvm_host_get_addr6 (args->host, &hostip);
  addr6_to_str (&hostip, ip_str);
 
#ifndef FEATURE_HOSTS_ALLOWED_ONLY
  int ret_host_auth = check_host_authorization (args->host, &hostip);
  if (ret_host_auth < 0)
    {
      if (ret_host_auth == -1)
        message_to_client (kb, "Host access denied.", ip_str, NULL, "ERRMSG");
      else
        message_to_client (kb, "Host access denied (system-wide restriction.)",
                           ip_str, NULL, "ERRMSG");
 
      kb_item_set_str_with_main_kb_check (kb, "internal/host_deny", "True", 0);
      g_warning ("Host %s access denied.", ip_str);
      return;
    }
#endif
 
  if (prefs_get_bool ("test_empty_vhost"))
    {
      gvm_vhost_t *vhost =
        gvm_vhost_new (g_strdup (ip_str), g_strdup ("IP-address"));
      args->host->vhosts = g_slist_prepend (args->host->vhosts, vhost);
    }
  hostnames = vhosts_to_str (args->host->vhosts);
  if (hostnames)
    g_message ("Vulnerability scan %s started for host: %s (Vhosts: %s)",
               globals->scan_id, ip_str, hostnames);
  else
    g_message ("Vulnerability scan %s started for host: %s", globals->scan_id,
               ip_str);
  g_free (hostnames);
  attack_host (globals, &hostip, args);
  kb_lnk_reset (main_kb);
 
  if (!scan_is_stopped ())
    {
      struct timeval now;
 
      gettimeofday (&now, NULL);
      if (now.tv_usec < then.tv_usec)
        {
          then.tv_sec++;
          now.tv_usec += 1000000;
        }
      g_message (
        "Vulnerability scan %s finished for host %s in %ld.%.2ld seconds",
        globals->scan_id, ip_str, (long) (now.tv_sec - then.tv_sec),
        (long) ((now.tv_usec - then.tv_usec) / 10000));
    }
}

References attack_host(), check_host_authorization(), get_main_kb(), attack_start_args::globals, attack_start_args::host, attack_start_args::host_kb, attack_start_args::ipc_context, ipcc, kb_item_set_str_with_main_kb_check(), main_kb, message_to_client(), scan_globals::scan_id, scan_is_stopped(), set_kb_readable(), timeval(), and vhosts_to_str().

Referenced by attack_network().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ check_deprecated_prefs()

static void check_deprecated_prefs ( void )

static

Check if any deprecated prefs are in pref table and print warning.

Definition at line 819 of file attack.c.

{
  const gchar *source_iface = prefs_get ("source_iface");
  const gchar *ifaces_allow = prefs_get ("ifaces_allow");
  const gchar *ifaces_deny = prefs_get ("ifaces_deny");
  const gchar *sys_ifaces_allow = prefs_get ("sys_ifaces_allow");
  const gchar *sys_ifaces_deny = prefs_get ("sys_ifaces_deny");
 
  if (source_iface || ifaces_allow || ifaces_deny || sys_ifaces_allow
      || sys_ifaces_deny)
    {
      kb_t main_kb = NULL;
      gchar *msg = NULL;
 
      msg = g_strdup_printf (
        "The following provided settings are deprecated since the 22.4 "
        "release and will be ignored: %s%s%s%s%s",
        source_iface ? "source_iface (task setting) " : "",
        ifaces_allow ? "ifaces_allow (user setting) " : "",
        ifaces_deny ? "ifaces_deny (user setting) " : "",
        sys_ifaces_allow ? "sys_ifaces_allow (scanner only setting) " : "",
        sys_ifaces_deny ? "sys_ifaces_deny (scanner only setting)" : "");
      g_warning ("%s: %s", __func__, msg);
 
      connect_main_kb (&main_kb);
      message_to_client (main_kb, msg, NULL, NULL, "ERRMSG");
      kb_lnk_reset (main_kb);
      g_free (msg);
    }
}

References connect_main_kb(), main_kb, and message_to_client().

Referenced by attack_network().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ check_host_authorization()

static int check_host_authorization	(	gvm_host_t *	host,
		const struct in6_addr *	addr
	)

static

Definition at line 888 of file attack.c.

{
  gvm_hosts_t *hosts_allow, *hosts_deny;
  gvm_hosts_t *sys_hosts_allow, *sys_hosts_deny;
 
  /* Do we have the right to test this host ? */
  hosts_allow = gvm_hosts_new (prefs_get ("hosts_allow"));
  hosts_deny = gvm_hosts_new (prefs_get ("hosts_deny"));
  if (!host_authorized (host, addr, hosts_allow, hosts_deny))
    return -1;
 
  sys_hosts_allow = gvm_hosts_new (prefs_get ("sys_hosts_allow"));
  sys_hosts_deny = gvm_hosts_new (prefs_get ("sys_hosts_deny"));
  if (!host_authorized (host, addr, sys_hosts_allow, sys_hosts_deny))
    return -2;
 
  gvm_hosts_free (hosts_allow);
  gvm_hosts_free (hosts_deny);
  gvm_hosts_free (sys_hosts_allow);
  gvm_hosts_free (sys_hosts_deny);
  return 0;
}

References host_authorized().

Referenced by attack_start().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ check_kb_access()

static int check_kb_access ( void )

static

Definition at line 1139 of file attack.c.

{
  int rc;
  kb_t kb;
 
  rc = kb_new (&kb, prefs_get ("db_address"));
  if (rc)
    report_kb_failure (rc);
  else
    kb_delete (kb);
 
  return rc;
}

References report_kb_failure().

Referenced by attack_network().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ comm_send_status()

static int comm_send_status	(	kb_t	main_kb,
		char *	ip_str,
		int	curr,
		int	max
	)

static

Sends the progress status of of a host's scan.

Status format "current_host/launched/total". Current host is the ip_str of the current host which is vulnerability tested. Launched is the number of plguins(VTs) which got already started. Total is the total number of plugins which will be started for the current host.

Parameters

main_kb	Kb to use.
ip_str	str representation of host ip
curr	Currently launched plugins (VTs) for the host
max	Maximum number of plugins which will be launched for the host

Returns: 0 on success, -1 on error.

Definition at line 204 of file attack.c.

{
  char status_buf[2048];
 
  if (!ip_str || !main_kb)
    return -1;
 
  if (strlen (ip_str) > (sizeof (status_buf) - 50))
    return -1;
 
  snprintf (status_buf, sizeof (status_buf), "%s/%d/%d", ip_str, curr, max);
  kb_item_push_str_with_main_kb_check (main_kb, "internal/status", status_buf);
  kb_lnk_reset (main_kb);
 
  return 0;
}

References kb_item_push_str_with_main_kb_check(), main_kb, and max.

Referenced by attack_host(), and Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ comm_send_status_host_dead()

static int comm_send_status_host_dead	(	kb_t	main_kb,
		char *	ip_str
	)

static

Send status to the client that the host is dead.

Originally the progress status is of the format "current_host/launched/total". Current host is the ip_str of the current host which is vulnerability tested. Launched is the number of plguins(VTs) which got already started. Total is the total number of plugins which will be started for the current host. But here we use the format "current_host/0/-1" for implicit singalling that the host is dead.

Parameters

main_kb	Kb to use
ip_str	str representation of host ip

Returns: 0 on success, -1 on failure.

Definition at line 170 of file attack.c.

{
  // implicit status code. Originally launched/total plugins
  const gchar *host_dead_status_code = "0/-1";
  const gchar *topic = "internal/status";
  gchar *status;
 
  // exact same restriction as comm_send_status() just to make it consistent
  if (strlen (ip_str) > 1998)
    return -1;
  status = g_strjoin ("/", ip_str, host_dead_status_code, NULL);
  kb_item_push_str_with_main_kb_check (main_kb, topic, status);
  g_free (status);
 
  return 0;
}

References kb_item_push_str_with_main_kb_check(), and main_kb.

Referenced by attack_host().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ connect_main_kb()

static int connect_main_kb ( kb_t * main_kb )

static

Connect to the main kb. Must be released with kb_lnk_reset() after use.

Parameters

[out] main_kb The connection to the kb.

Returns: 0 on success, -1 on failure.

Definition at line 95 of file attack.c.

{
  int i = atoi (prefs_get ("ov_maindbid"));
 
  *main_kb = kb_direct_conn (prefs_get ("db_address"), i);
  if (main_kb)
    {
      return 0;
    }
 
  g_warning ("Not possible to get the main kb connection.");
  return -1;
}

References main_kb.

Referenced by attack_network(), check_deprecated_prefs(), scan_stop_cleanup(), set_kb_readable(), and set_scan_status().

Here is the caller graph for this function:

◆ fork_sleep()

static void fork_sleep ( int n )

static

Definition at line 247 of file attack.c.

{
  time_t then, now;
 
  now = then = time (NULL);
  while (now - then < n)
    {
      waitpid (-1, NULL, WNOHANG);
      usleep (10000);
      now = time (NULL);
    }
}

Referenced by attack_host(), and attack_network().

Here is the caller graph for this function:

◆ get_alive_detection_tid()

static pthread_t get_alive_detection_tid ( )

static

Definition at line 1162 of file attack.c.

{
  return alive_detection_tid;
}

References alive_detection_tid.

Referenced by attack_network(), and scan_stop_cleanup().

Here is the caller graph for this function:

◆ handle_scan_stop_signal()

static void handle_scan_stop_signal ( )

static

Definition at line 1188 of file attack.c.

{
  global_scan_stop = 1;
}

References global_scan_stop.

Referenced by attack_network().

Here is the caller graph for this function:

◆ host_authorized()

static int host_authorized	(	const gvm_host_t *	host,
		const struct in6_addr *	addr,
		const gvm_hosts_t *	hosts_allow,
		const gvm_hosts_t *	hosts_deny
	)

static

Definition at line 863 of file attack.c.

{
  /* Check Hosts Access. */
  if (host == NULL)
    return 0;
 
  if (hosts_deny && gvm_host_in_hosts (host, addr, hosts_deny))
    return 0;
  if (hosts_allow && !gvm_host_in_hosts (host, addr, hosts_allow))
    return 0;
 
  return 1;
}

Referenced by check_host_authorization().

Here is the caller graph for this function:

◆ launch_plugin()

static int launch_plugin	(	struct scan_globals *	globals,
		struct scheduler_plugin *	plugin,
		struct in6_addr *	ip,
		GSList *	vhosts,
		struct attack_start_args *	args
	)

static

Launches a nvt. Respects safe check preference (i.e. does not try.

destructive nvt if save_checks is yes).

Does not launch a plugin twice if !save_kb_replay.

Returns: ERR_HOST_DEAD if host died, ERR_CANT_FORK if forking failed, ERR_NO_FREE_SLOT if the process table is full, 0 otherwise.

Definition at line 525 of file attack.c.

{
  int optimize = prefs_get_bool ("optimize_test");
  int launch_error, pid, ret = 0;
  char *oid, *name, *error = NULL, ip_str[INET6_ADDRSTRLEN];
  nvti_t *nvti;
 
  kb_lnk_reset (get_main_kb ());
  addr6_to_str (ip, ip_str);
  oid = plugin->oid;
  nvti = nvticache_get_nvt (oid);
 
  /* eg. When NVT was moved/removed by a feed update during the scan. */
  if (!nvti)
    {
      g_message ("Plugin '%s' missing from nvticache.", oid);
      plugin->running_state = PLUGIN_STATUS_DONE;
      goto finish_launch_plugin;
    }
  if (scan_is_stopped ())
    {
      plugin->running_state = PLUGIN_STATUS_DONE;
      goto finish_launch_plugin;
    }
 
  if (prefs_get_bool ("safe_checks")
      && !nvti_category_is_safe (nvti_category (nvti)))
    {
      if (prefs_get_bool ("log_whole_attack"))
        {
          name = nvticache_get_filename (oid);
          g_message ("Not launching %s (%s) against %s because safe checks are"
                     " enabled (this is not an error)",
                     name, oid, ip_str);
          g_free (name);
        }
      plugin->running_state = PLUGIN_STATUS_DONE;
      goto finish_launch_plugin;
    }
 
  /* Do not launch NVT if mandatory key is missing (e.g. an important tool
   * was not found). */
  if (!mandatory_requirements_met (args->host_kb, nvti))
    error = "because a mandatory key is missing";
  if (error
      || (optimize && (error = requirements_plugin (args->host_kb, nvti))))
    {
      plugin->running_state = PLUGIN_STATUS_DONE;
      if (prefs_get_bool ("log_whole_attack"))
        {
          name = nvticache_get_filename (oid);
          g_message (
            "Not launching %s (%s) against %s %s (this is not an error)", name,
            oid, ip_str, error);
          g_free (name);
        }
      goto finish_launch_plugin;
    }
 
  /* Stop the test if the host is 'dead' */
  if (kb_item_get_int (args->host_kb, "Host/dead") > 0)
    {
      g_message ("The remote host %s is dead", ip_str);
      pluginlaunch_stop ();
      plugin->running_state = PLUGIN_STATUS_DONE;
      ret = ERR_HOST_DEAD;
      goto finish_launch_plugin;
    }
 
  /* Update vhosts list and start the plugin */
  if (procs_get_ipc_contexts () != NULL)
    {
      for (int i = 0; i < procs_get_ipc_contexts ()->len; i++)
        {
          read_ipc (&procs_get_ipc_contexts ()->ctxs[i]);
        }
    }
  launch_error = 0;
  pid = plugin_launch (globals, plugin, ip, vhosts, args->host_kb,
                       get_main_kb (), nvti, &launch_error);
  if (launch_error == ERR_NO_FREE_SLOT || launch_error == ERR_CANT_FORK)
    {
      plugin->running_state = PLUGIN_STATUS_UNRUN;
      ret = launch_error;
      goto finish_launch_plugin;
    }
 
  if (prefs_get_bool ("log_whole_attack"))
    {
      name = nvticache_get_filename (oid);
      g_message ("Launching %s (%s) against %s [%d]", name, oid, ip_str, pid);
      g_free (name);
    }
 
finish_launch_plugin:
  nvti_free (nvti);
  return ret;
}

References ERR_CANT_FORK, ERR_HOST_DEAD, ERR_NO_FREE_SLOT, get_main_kb(), attack_start_args::host_kb, ipc_contexts::len, mandatory_requirements_met(), name, nvti_category_is_safe(), oid, scheduler_plugin::oid, pid, plugin_launch(), PLUGIN_STATUS_DONE, PLUGIN_STATUS_UNRUN, pluginlaunch_stop(), procs_get_ipc_contexts(), read_ipc(), requirements_plugin(), scheduler_plugin::running_state, and scan_is_stopped().

Referenced by attack_host().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ message_to_client()

static void message_to_client	(	kb_t	kb,
		const char *	msg,
		const char *	ip_str,
		const char *	port,
		const char *	type
	)

static

Definition at line 222 of file attack.c.

{
  char *buf;
 
  buf = g_strdup_printf ("%s|||%s|||%s|||%s||| |||%s", type,
                         ip_str ? ip_str : "", ip_str ? ip_str : "",
                         port ? port : " ", msg ? msg : "No error.");
  kb_item_push_str_with_main_kb_check (kb, "internal/results", buf);
  g_free (buf);
}

References kb_item_push_str_with_main_kb_check(), and ipc_context::type.

Referenced by attack_network(), attack_start(), and check_deprecated_prefs().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ nvti_category_is_safe()

static int nvti_category_is_safe ( int category )

static

Checks that an NVT category is safe.

Parameters

category Category to check.

Returns: 0 if category is unsafe, 1 otherwise.

Definition at line 280 of file attack.c.

{
  /* XXX: Duplicated from openvas/nasl. */
  if (category == ACT_DESTRUCTIVE_ATTACK || category == ACT_KILL_HOST
      || category == ACT_FLOOD || category == ACT_DENIAL)
    return 0;
  return 1;
}

References ACT_DENIAL, ACT_DESTRUCTIVE_ATTACK, ACT_FLOOD, and ACT_KILL_HOST.

Referenced by launch_plugin().

Here is the caller graph for this function:

◆ process_ipc_data()

static void process_ipc_data ( const gchar * result )

static

Definition at line 454 of file attack.c.

{
  ipc_data_t *idata;
 
  if ((idata = ipc_data_from_json (result, strlen (result))) != NULL)
    {
      switch (ipc_get_data_type_from_data (idata))
        {
        case IPC_DT_ERROR:
          g_warning ("%s: Unknown data type.", __func__);
          break;
        case IPC_DT_HOSTNAME:
          if (ipc_get_hostname_from_data (idata) == NULL)
            g_warning ("%s: ihost data is NULL ignoring new vhost", __func__);
          else
            append_vhost (ipc_get_hostname_from_data (idata),
                          ipc_get_hostname_source_from_data (idata));
          break;
        case IPC_DT_USER_AGENT:
          if (ipc_get_user_agent_from_data (idata) == NULL)
            g_warning ("%s: iuser_agent data is NULL, ignoring new user agent",
                       __func__);
          else
            {
              gchar *old_ua = NULL;
              old_ua = user_agent_set (ipc_get_user_agent_from_data (idata));
              g_debug ("%s: The User-Agent %s has been overwritten with %s",
                       __func__, old_ua, ipc_get_user_agent_from_data (idata));
              g_free (old_ua);
            }
          break;
        }
      ipc_data_destroy (&idata);
    }
}

References append_vhost(), ipc_data_destroy(), ipc_data_from_json(), IPC_DT_ERROR, IPC_DT_HOSTNAME, IPC_DT_USER_AGENT, ipc_get_data_type_from_data(), ipc_get_hostname_from_data(), ipc_get_hostname_source_from_data(), ipc_get_user_agent_from_data(), and user_agent_set().

Referenced by read_ipc().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ read_ipc()

static void read_ipc ( struct ipc_context * ctx )

static

Definition at line 491 of file attack.c.

{
  char *results;
 
  while ((results = ipc_retrieve (ctx, IPC_MAIN)) != NULL)
    {
      int len = 0;
      int pos = 0;
      for (int j = 0; results[j] != '\0'; j++)
        if (results[j] == '}')
          {
            gchar *message = NULL;
            len = j - pos + 1;
            message = g_malloc0 (sizeof (gchar) * (len + 1));
            memcpy (message, &results[pos], len);
            pos = j + 1;
            len = 0;
            process_ipc_data (message);
            g_free (message);
          }
    }
  g_free (results);
}

References IPC_MAIN, ipc_retrieve(), len, and process_ipc_data().

Referenced by launch_plugin().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ report_kb_failure()

static void report_kb_failure ( int errcode )

static

Definition at line 235 of file attack.c.

{
  gchar *msg;
 
  errcode = abs (errcode);
  msg = g_strdup_printf ("WARNING: Cannot connect to KB at '%s': %s'",
                         prefs_get ("db_address"), strerror (errcode));
  g_warning ("%s", msg);
  g_free (msg);
}

Referenced by attack_network(), and check_kb_access().

Here is the caller graph for this function:

◆ run_table_driven_lsc()

static int run_table_driven_lsc	(	const char *	scan_id,
		kb_t	kb,
		const char *	ip_str,
		const char *	hostname
	)

static

Publish the necessary data to start a Table driven LSC scan.

If the gather-package-list.nasl plugin was launched, and it generated a valid package list for a supported OS, the table driven LSC scan which is subscribed to the topic will perform a scan an publish the the results to be handle by the sensor/client.

Parameters

scan_id	Scan Id.
kb
ip_str	IP string of host.
hostname	Name of host.

Returns: 0 on success, less than 0 on error.

Definition at line 331 of file attack.c.

{
  gchar *json_str;
  gchar *package_list;
  gchar *os_release;
  gchar *topic;
  gchar *payload;
  gchar *status = NULL;
  int topic_len;
  int payload_len;
  int err = 0;
 
  // Subscribe to status topic
  err = mqtt_subscribe ("scanner/status");
  if (err)
    {
      g_warning ("%s: Error starting lsc. Unable to subscribe", __func__);
      return -1;
    }
  /* Get the OS release. TODO: have a list with supported OS. */
 
  os_release = kb_item_get_str (kb, "ssh/login/release_notus");
  /* Get the package list. Currently only rpm support */
  package_list = kb_item_get_str (kb, "ssh/login/package_list_notus");
  if (!os_release || !package_list)
    return 0;
 
  json_str = make_table_driven_lsc_info_json_str (scan_id, ip_str, hostname,
                                                  os_release, package_list);
  g_free (package_list);
  g_free (os_release);
 
  // Run table driven lsc
  if (json_str == NULL)
    return -1;
 
  g_message ("Running Notus for %s", ip_str);
  err = mqtt_publish ("scanner/package/cmd/notus", json_str);
  if (err)
    {
      g_warning ("%s: Error publishing message for Notus.", __func__);
      g_free (json_str);
      return -1;
    }
 
  g_free (json_str);
 
  // Wait for Notus scanner to start or interrupt
  while (!status)
    {
      err = mqtt_retrieve_message (&topic, &topic_len, &payload, &payload_len,
                                   60000);
      if (err == -1 || err == 1)
        {
          g_warning ("%s: Unable to retrieve status message from notus. %s",
                     __func__, err == 1 ? "Timeout after 60 s." : "");
          return -1;
        }
 
      // Get status if it belongs to corresponding scan and host
      // Else wait for next status message
      status = get_status_of_table_driven_lsc_from_json (scan_id, ip_str,
                                                         payload, payload_len);
 
      g_free (topic);
      g_free (payload);
    }
  // If started wait for it to finish or interrupt
  if (!g_strcmp0 (status, "running"))
    {
      g_debug ("%s: table driven LSC with scan id %s successfully started "
               "for host %s",
               __func__, scan_id, ip_str);
      g_free (status);
      status = NULL;
      while (!status)
        {
          err = mqtt_retrieve_message (&topic, &topic_len, &payload,
                                       &payload_len, 60000);
          if (err == -1)
            {
              g_warning ("%s: Unable to retrieve status message from notus.",
                         __func__);
              return -1;
            }
          if (err == 1)
            {
              g_warning ("%s: Unablet to retrieve message. Timeout after 60s.",
                         __func__);
              return -1;
            }
 
          status = get_status_of_table_driven_lsc_from_json (
            scan_id, ip_str, payload, payload_len);
          g_free (topic);
          g_free (payload);
        }
    }
  else
    {
      g_warning ("%s: Unable to start lsc. Got status: %s", __func__, status);
      g_free (status);
      return -1;
    }
 
  if (g_strcmp0 (status, "finished"))
    {
      g_warning (
        "%s: table driven lsc with scan id %s did not finish successfully "
        "for host %s. Last status was %s",
        __func__, scan_id, ip_str, status);
      err = -1;
    }
  else
    g_debug ("%s: table driven lsc with scan id %s successfully finished "
             "for host %s",
             __func__, scan_id, ip_str);
  g_free (status);
  return err;
}

References get_status_of_table_driven_lsc_from_json(), hostname, make_table_driven_lsc_info_json_str(), payload, and scan_id.

Referenced by attack_host().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ scan_is_stopped()

static int scan_is_stopped ( void )

static

Definition at line 265 of file attack.c.

{
  if (global_scan_stop == 1)
    scan_stop_cleanup ();
  return global_scan_stop;
}

References global_scan_stop, and scan_stop_cleanup().

Referenced by attack_host(), attack_network(), attack_start(), and launch_plugin().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ scan_stop_cleanup()

static void scan_stop_cleanup ( void )

static

Definition at line 1194 of file attack.c.

{
  kb_t main_kb = NULL;
  char *pid;
  static int already_called = 0;
 
  if (already_called == 1)
    return;
 
  connect_main_kb (&main_kb);
  pid = kb_item_get_str (main_kb, ("internal/ovas_pid"));
  kb_lnk_reset (main_kb);
 
  /* Stop all hosts and alive detection (if enabled) if we are in main.
   * Else stop all running plugin processes for the current host fork. */
  if (pid && (atoi (pid) == getpid ()))
    {
      already_called = 1;
      hosts_stop_all ();
 
      /* Stop (cancel) alive detection if enabled and not already joined. */
      if (prefs_get_bool ("test_alive_hosts_only"))
        {
          /* Alive detection thread was already joined by main thread. */
          if (TRUE == ad_thread_joined (FALSE))
            {
              g_warning (
                "Alive detection thread was already joined by other "
                "thread. Cancel operation not permitted or not needed.");
            }
          else
            {
              int err;
              err = pthread_cancel (get_alive_detection_tid ());
              if (err == ESRCH)
                g_warning (
                  "%s: pthread_cancel() returned ESRCH; No thread with the "
                  "supplied ID could be found.",
                  __func__);
            }
        }
    }
  else
    /* Current host process */
    pluginlaunch_stop ();
 
  g_free (pid);
}

References ad_thread_joined(), connect_main_kb(), get_alive_detection_tid(), hosts_stop_all(), main_kb, pid, and pluginlaunch_stop().

Referenced by scan_is_stopped().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ set_alive_detection_tid()

static void set_alive_detection_tid ( pthread_t tid )

static

Definition at line 1157 of file attack.c.

{
  alive_detection_tid = tid;
}

References alive_detection_tid.

Referenced by attack_network().

Here is the caller graph for this function:

◆ set_kb_readable()

static void set_kb_readable ( int host_kb_index )

static

Add the Host KB index to the list of readable KBs used by ospd-openvas.

Parameters

host_kb_index The Kb index used for the host, to be stored in a list key in the main_kb.

Definition at line 117 of file attack.c.

{
  kb_t main_kb = NULL;
 
  connect_main_kb (&main_kb);
  kb_item_add_int_unique_with_main_kb_check (main_kb, "internal/dbindex",
                                             host_kb_index);
  kb_lnk_reset (main_kb);
}

References connect_main_kb(), kb_item_add_int_unique_with_main_kb_check(), and main_kb.

Referenced by attack_start().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ set_scan_status()

static void set_scan_status ( char * status )

static

Set scan status. This helps ospd-openvas to identify if a scan crashed or finished cleanly.

Parameters

[in] status Status to set.

Definition at line 134 of file attack.c.

{
  kb_t main_kb = NULL;
  char buffer[96];
  char *scan_id = NULL;
 
  connect_main_kb (&main_kb);
 
  if (check_kb_inconsistency (main_kb) != 0)
    {
      kb_lnk_reset (main_kb);
      return;
    }
  scan_id = kb_item_get_str (main_kb, ("internal/scanid"));
  snprintf (buffer, sizeof (buffer), "internal/%s", scan_id);
  kb_item_set_str_with_main_kb_check (main_kb, buffer, status, 0);
  kb_lnk_reset (main_kb);
  g_free (scan_id);
}

References check_kb_inconsistency(), connect_main_kb(), kb_item_set_str_with_main_kb_check(), main_kb, and scan_id.

Referenced by attack_network().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ vhosts_to_str()

static char * vhosts_to_str ( GSList * list )

static

Definition at line 796 of file attack.c.

{
  GString *string;
 
  if (!list)
    return NULL;
  string = g_string_new (((gvm_vhost_t *) list->data)->value);
  if (g_slist_length (list) == 1)
    return g_string_free (string, FALSE);
  list = list->next;
  while (list)
    {
      g_string_append (string, ", ");
      g_string_append (string, ((gvm_vhost_t *) list->data)->value);
      list = list->next;
    }
  return g_string_free (string, FALSE);
}

References list::next.

Referenced by attack_start().

Here is the caller graph for this function:

Variable Documentation

◆ alive_detection_tid

pthread_t alive_detection_tid

static

Definition at line 1154 of file attack.c.

Referenced by get_alive_detection_tid(), and set_alive_detection_tid().

◆ global_scan_stop

int global_scan_stop = 0

Definition at line 260 of file attack.c.

Referenced by handle_scan_stop_signal(), hosts_new(), hosts_stop_all(), and scan_is_stopped().

◆ host_kb

kb_t host_kb = NULL

static

Definition at line 289 of file attack.c.

Referenced by attack_host(), and check_duplicated_vhost().

◆ host_vhosts

GSList* host_vhosts = NULL

static

Definition at line 290 of file attack.c.

Referenced by append_vhost(), and attack_host().

Data Structures

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ ERR_HOST_DEAD

◆ G_LOG_DOMAIN

◆ INVALID_TARGET_LIST

◆ KB_RETRY_DELAY

◆ MAX_FORK_RETRIES

Function Documentation

◆ ad_thread_joined()

◆ append_vhost()

◆ apply_hosts_excluded()

◆ apply_hosts_preferences_ordering()

◆ apply_hosts_reverse_lookup_preferences()

◆ attack_host()

◆ attack_network()

◆ attack_start()

◆ check_deprecated_prefs()

◆ check_host_authorization()

◆ check_kb_access()

◆ comm_send_status()

◆ comm_send_status_host_dead()

◆ connect_main_kb()

◆ fork_sleep()

◆ get_alive_detection_tid()

◆ handle_scan_stop_signal()

◆ host_authorized()

◆ launch_plugin()

◆ message_to_client()

◆ nvti_category_is_safe()

◆ process_ipc_data()

◆ read_ipc()

◆ report_kb_failure()

◆ run_table_driven_lsc()

◆ scan_is_stopped()

◆ scan_stop_cleanup()

◆ set_alive_detection_tid()

◆ set_kb_readable()

◆ set_scan_status()

◆ vhosts_to_str()

Variable Documentation

◆ alive_detection_tid

◆ global_scan_stop

◆ host_kb

◆ host_vhosts