Bug 13466 - segfault while parsing multiple -g arguments
Summary: segfault while parsing multiple -g arguments
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: traceroute
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact:
URL:
Whiteboard:
Keywords: Security
: 9541 18466 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-07-04 11:56 UTC by Pekka Savola
Modified: 2008-05-01 15:37 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2000-10-08 08:58:33 UTC

Attachments (Terms of Use)
Patch against segfault w/ multiple source route gateways defined (475 bytes, patch)
2000-07-07 21:45 UTC, Pekka Savola 		no flags Details | Diff
Fixes traceroute to drop privs even sooner (2.42 KB, patch)
2000-07-17 23:20 UTC, Chris Evans 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Pekka Savola 2000-07-04 11:56:37 UTC 
If you try to use traceroute with multiple -g arguments (said to be
supported in the man page, too!), traceroute will die in a segmentation
fault right in the beginning.

Because traceroute is setuid root, this is of some concern..
Comment 1 Pekka Savola 2000-07-07 21:45:53 UTC 
Created attachment 938 [details]
Patch against segfault w/ multiple source route gateways defined
Comment 2 Chris Evans 2000-07-08 23:21:33 UTC 
Oh dear - what genuinely terrible code in traceroute
Luckily it doesn't look too exploitable. The actual segfault is free() on a
pointer which wasn't allocated with malloc().
Can I suggest another fix - remove savestr() and replace with strdup().
savestr() is only used by a few places.
Worse, the concept of savestr() looks broken. The code comment says it is there
to "reduce malloc() overhead incurred by strdup()". That's a horrendous case of
a programmer inventing a problem. savestr() is only used a few times. As if a
few malloc() calls make a discernible difference in a program like traceroute!!
If only programmers would base their code on real-world measurements rather than
guessing.... :-)
Comment 3 Chris Evans 2000-07-08 23:22:56 UTC 
FYI, Bill
Comment 4 Preston Brown 2000-07-10 15:01:10 UTC 
fixed in rawhide now.
Comment 5 Chris Evans 2000-07-17 23:18:34 UTC 
About to include safety patch...
Comment 6 Chris Evans 2000-07-17 23:20:46 UTC 
Created attachment 1247 [details]
Fixes traceroute to drop privs even sooner
Comment 7 Chris Evans 2000-07-17 23:24:20 UTC 
Oooh... this attachment thing is cool ;-)
Patch tested to extend of compile and brief play. I'm not the world's most
demanding traceroute user, though.
I consider the patch well worth applying. The original "-g" flaw segfaults
_before_ root privs were dropped - very dangerous! This patch makes privs get
dropped immediately after obtaining the raw sockets at the top of main().
Any problems with the patch - let me know and they'll get fixed. Reopening the
bug just to be a pain!
Comment 8 Pekka Savola 2000-07-18 21:37:59 UTC 
[ mainly to Chris ]

By the way, a RH62 report #9541 has a link to similar, but perhaps a little more
primitive privilege-dropping patch.  If you haven't checked it out yet, you
might want to take a look at that.
Comment 9 Chris Evans 2000-07-18 22:23:09 UTC 
Thanks, and well spotted. The patch is very similar. Either patch would be a
useful addition to Rawhide ;-)
Comment 10 Jeff Johnson 2000-07-19 03:42:39 UTC 
*** Bug 9541 has been marked as a duplicate of this bug. ***
Comment 11 Jeff Johnson 2000-07-19 03:46:13 UTC 
Fixed (by applying patch) in tarceroute-1.4a5-23. Thanks for the patch.,
comments, and pointers.
Comment 12 Jeff Johnson 2000-10-08 08:59:59 UTC 
Fixed for Red Hat 6.x and 5.x as well.
Comment 13 Jeff Johnson 2000-10-08 09:00:35 UTC 
*** Bug 18466 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.