Bug 13466 - segfault while parsing multiple -g arguments
segfault while parsing multiple -g arguments
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: traceroute (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
: Security
: 9541 18466 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-07-04 07:56 EDT by Pekka Savola
Modified: 2008-05-01 11:37 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-08 04:58:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch against segfault w/ multiple source route gateways defined (475 bytes, patch)
2000-07-07 17:45 EDT, Pekka Savola
no flags Details | Diff
Fixes traceroute to drop privs even sooner (2.42 KB, patch)
2000-07-17 19:20 EDT, Chris Evans
no flags Details | Diff

  None (edit)
Description Pekka Savola 2000-07-04 07:56:37 EDT
If you try to use traceroute with multiple -g arguments (said to be
supported in the man page, too!), traceroute will die in a segmentation
fault right in the beginning.

Because traceroute is setuid root, this is of some concern..
Comment 1 Pekka Savola 2000-07-07 17:45:53 EDT
Created attachment 938 [details]
Patch against segfault w/ multiple source route gateways defined
Comment 2 Chris Evans 2000-07-08 19:21:33 EDT
Oh dear - what genuinely terrible code in traceroute
Luckily it doesn't look too exploitable. The actual segfault is free() on a
pointer which wasn't allocated with malloc().
Can I suggest another fix - remove savestr() and replace with strdup().
savestr() is only used by a few places.
Worse, the concept of savestr() looks broken. The code comment says it is there
to "reduce malloc() overhead incurred by strdup()". That's a horrendous case of
a programmer inventing a problem. savestr() is only used a few times. As if a
few malloc() calls make a discernible difference in a program like traceroute!!
If only programmers would base their code on real-world measurements rather than
guessing.... :-)
Comment 3 Chris Evans 2000-07-08 19:22:56 EDT
FYI, Bill
Comment 4 Preston Brown 2000-07-10 11:01:10 EDT
fixed in rawhide now.
Comment 5 Chris Evans 2000-07-17 19:18:34 EDT
About to include safety patch...
Comment 6 Chris Evans 2000-07-17 19:20:46 EDT
Created attachment 1247 [details]
Fixes traceroute to drop privs even sooner
Comment 7 Chris Evans 2000-07-17 19:24:20 EDT
Oooh... this attachment thing is cool ;-)
Patch tested to extend of compile and brief play. I'm not the world's most
demanding traceroute user, though.
I consider the patch well worth applying. The original "-g" flaw segfaults
_before_ root privs were dropped - very dangerous! This patch makes privs get
dropped immediately after obtaining the raw sockets at the top of main().
Any problems with the patch - let me know and they'll get fixed. Reopening the
bug just to be a pain!
Comment 8 Pekka Savola 2000-07-18 17:37:59 EDT
[ mainly to Chris ]

By the way, a RH62 report #9541 has a link to similar, but perhaps a little more
primitive privilege-dropping patch.  If you haven't checked it out yet, you
might want to take a look at that.



Comment 9 Chris Evans 2000-07-18 18:23:09 EDT
Thanks, and well spotted. The patch is very similar. Either patch would be a
useful addition to Rawhide ;-)
Comment 10 Jeff Johnson 2000-07-18 23:42:39 EDT
*** Bug 9541 has been marked as a duplicate of this bug. ***
Comment 11 Jeff Johnson 2000-07-18 23:46:13 EDT
Fixed (by applying patch) in tarceroute-1.4a5-23. Thanks for the patch.,
comments, and pointers.
Comment 12 Jeff Johnson 2000-10-08 04:59:59 EDT
Fixed for Red Hat 6.x and 5.x as well.
Comment 13 Jeff Johnson 2000-10-08 05:00:35 EDT
*** Bug 18466 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.