15917 – Maksimum packetlength checked badly (Local DoS)

Bug 15917 - Maksimum packetlength checked badly (Local DoS)

Summary: Maksimum packetlength checked badly (Local DoS)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	traceroute
Sub Component:
Version:	6.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Crutcher Dunnavant
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-08-10 12:40 UTC by Need Real Name
Modified:	2008-05-01 15:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-08-14 07:46:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Need Real Name 2000-08-10 12:40:29 UTC

If you give packet length with (second) command line parameter, the
traceroute checks the maximum size of packet before assigning the given
value to variable. So you can get traceroute to allocate huge block of
memory, and becouse traceroute is suid program ulimits of users don't
affect. => Normal user can use all of the memory and makes the machine
swapping.

Patchfile and fixed source- and binary-rpm-file is available at
http://vernon.teraflops.com/rpm/

Ari Saastamoinen

Comment 1 Pekka Savola 2000-08-14 07:46:35 UTC

This happens in RHL 7.0 beta too.  It drops the privileges earlier though.

Comment 2 Jeff Johnson 2000-10-04 19:22:22 UTC

Fixed (by adding patch) in traceroute-1.4a5-24. Thanks for the patch.

Note You need to log in before you can comment on or make changes to this bug.