Subject: FYI: Buffer overflow in traceroute
To: None <tech-security@NetBSD.ORG>
From: Erik E. Fair <fair@clock.org>
List: tech-security
Date: 06/13/1998 17:41:05
>Date: Sat, 13 Jun 1998 17:28:41 -0700 (PDT)
>From: Kevin Vajk <kvajk@ricochet.net>
>To: bugs@openbsd.org
>Subject: Buffer overflow in traceroute
>MIME-Version: 1.0
>Sender: owner-bugs@openbsd.org
>
>
>(Yes, I know it drops privileges immediately. But since it holds a raw
>socket, it's a security liability. Besides, this is really in some
>ways a remote attack, so it matters even to non-setuid programs.)
>
>On the newly-formed Linux security audit project I've been participating
>in, Chris Evans pointed out the danger of mistrusting information returned
>from remote nameservers. In particular, the h_length structure.
>
>Consider the following two lines from OpenBSD's traceroute.c:
> memcpy(&gateway[lsrr], hp->h_addr, hp->h_length)
>and
> memcpy(&to.sin_addr, hp->h_addr, hp->h_length);
>
>This is like using strncpy(), only the *remote* nameserver is dictating
>how many bytes to copy. It should be changed to use the sizeof operator,
>instead. Something like:
> memcpy(dest, hp-h_addr, sizeof(dest));
>
>(I recommend grep'ing for h_length on your source tree. We've been doing
>it for Linux, and it's depressing what's been turning up.)
>
>Anyhow, thanks for all your work on making OpenBSD so secure. It's a real
>inspiration. (And it's finally a proof-of-concept of the common-sense
>idea that proactive security really is the best.)
>
>Thanks!
>
>- Kevin Vajk
> <kvajk@ricochet.net>
>