Bug 2819 - autoroute patch introduces new bug
autoroute patch introduces new bug
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: traceroute (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Turner
:
: 3295 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-05-14 10:16 EDT by roganov
Modified: 2015-01-07 18:37 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-05-14 11:11:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description roganov 1999-05-14 10:16:13 EDT
Dear Friends !

We found a bug in a traceroute package, linked with a last
patch --
so called autoroute addition.

This bug involves 'Segmentation fault' when traceroute is
invoked
at computer having few network interfaces in a following
manner:

	traceroute host_not_in_eth2_inet -i eth2


The reason of this bug is a different representation of
original
code and new autoroute addition: new code assumes that 'al'
variable always contains a list of all interfaces, obtained
via call:
    (see file traceroute.c after all patch being applied)

	ifaddrlist(&al, errbuf);

But really original code changes 'al' pointer below, looking
for pointed device:

	/* Look for a specific device */
	if (device != NULL) {
		for (i = n; i > 0; --i, ++al)
			if (strcmp(device, al->device) == 0)
				break;
		if (i <= 0) {
			Fprintf(stderr, "%s: Can't find interface %s\n",
			    prog, device);
			exit(1);
		}
	}

As a result routine 'search_routing_table' is called of
inproper data
what leads to program crash.


We are currently using following changes for code:

<<<<<<<<<<<<<<<<
--- traceroute.c.old    Fri May 14 14:13:02 1999
+++ traceroute.c        Fri May 14 14:21:41 1999
@@ -348,7 +348,7 @@
        int tos = 0, settos = 0;
        register int lsrr = 0;
        register u_short off = 0;
-       struct ifaddrlist *al;
+       struct ifaddrlist *al, *al_orig;
        char errbuf[132];

        if ((cp = strrchr(argv[0], '/')) != NULL)
@@ -670,6 +670,7 @@

        /* Get the interface address list */
        n = ifaddrlist(&al, errbuf);
+       al_orig = al;
        if (n < 0) {
                Fprintf(stderr, "%s: ifaddrlist: %s\n",
prog, errbuf);
                exit(1);
@@ -700,7 +701,7 @@
                 * there is no match, default to using the
first
                 * interface found.
                 */
-               al = search_routing_table(to, al, n);
+               al = search_routing_table(to, al_orig, n);
                setsin(from, al->addr);
 #else
                /*
>>>>>>>>>>>>>

what is currently used in our
'traceroute-1.4a5-autoroute-bugfix.patch',
added to traceroute.spec file.
Comment 1 Jeff Johnson 1999-05-14 11:11:59 EDT
Fixed in traceroute-1.4a5-15. Thanks for the analysis and patch!
Comment 2 Jeff Johnson 1999-06-07 06:27:59 EDT
*** Bug 3295 has been marked as a duplicate of this bug. ***

The USE_KERNEL_ROUTING_TABLE patch to traceroute causes it
to segfault with used with -i. This is because the
ifaddrlist is searched for the interface you specify, but
then the search_routing_table() call continues the search at
the position in the list found by the previous search.
Consequently, the second search eventually runs right past
the end of the array in a vain attempt to find a unique
interface. This unintialized memory (zeroed in my case)
causes a segfault when a field of the run away pointer is
passed to a strcmp.

Because all this red tape sickens me, and because I have
better things to do than to wait around for a BUG ID to
submit a one line patch, I'm going to describe the fix here.
Right around line 703 you add:
if(device == NULL && n > 1)
 right before the call to search_routing_table()

Note You need to log in before you can comment on or make changes to this bug.