532346 – Missing check of the first ttl value

Bug 532346 - Missing check of the first ttl value

Summary: Missing check of the first ttl value

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	traceroute
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Dmitry Butskoy
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-01 19:36 UTC by vladz
Modified:	2009-11-03 18:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-11-03 18:41:27 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description vladz 2009-11-01 19:36:15 UTC

Description of problem:
   A check is missed in the traceroute.c source file.

Version-Release number of selected component (if applicable):
   Bug is in package traceroute-2.0.12-3.fc12 but also in previous versions.

How reproducible:
   By setting min ttl value to 0.
   $ traceroute -f 0 <hostname or ip>

Actual results: 
   $ traceroute  -f 0 -q 3 www.devzero.fr
   traceroute to www.google.com (209.85.229.106), 30 hops max, 60 byte packets
   (209.85.229.106) <libc.so.6>  -0.000 ms <...non-writable string...>
                     ^^^                     ^^^

Expected results:
   Setting a min ttl (-f) of 0 must be forbidden, so program should exit with message "first hop out of range". 

Additional info:

In traceroute.c, "first_hop" attribute, which is the first ttl value of
the first packets sent by traceroute, is unsigned and equal to 1.

  79 static unsigned int first_hop = 1;

This default value can be overwritten by using the "-f" flag as argument:

 429         { "f", "first", "first_ttl", "Start from the %s hop (instead from 1)",
 430                         CLIF_set_uint, &first_hop, 0, 0 },

But the check that is made bellow on this value is not enought:

 559         if (first_hop > max_hops)
 560                 ex_error ("first hop out of range");

If "first_hop" is equal 0, this ckeck won't exit traceroute and later in
the "do_it" function, a signed integer ("start" attribute) will get a
negative value, and this is not supposed to.

 902         int start = (first_hop - 1) * probes_per_hop;
 [...]
 915             for (n = start; n < end; n++) {
 916                 probe *pb = &probes[n];
 [...]
 930                         print_probe (pb);

On line 902, default value for "probes_per_hop" is 3, so "start" will be
equal to -3. Then on line 916, "pb" will point on "probes[-3]" wich is
outside of the real probes table structure. Later (line 930), the pointed
value is printed.

As the segment of printed memory (&probes[0] - (sizeof(*probes) * 3)) can be
controled by using a different value of "probes_per_hop" (-q option), this
could maybe become a memory disclosure vulnerability when traceroute is installed
setuid-root, which is not the default.

This could patch this small bug:

--- traceroute-2.0.12.org/traceroute/traceroute.c       2008-09-17 15:30:22.000000000 +0200
+++ traceroute-2.0.12.new/traceroute/traceroute.c       2009-11-01 18:34:13.000000000 +0100
@@ -556,7 +556,7 @@
                        "is allowed for superuser only");


-       if (first_hop > max_hops)
+       if (!first_hop || first_hop > max_hops)
                ex_error ("first hop out of range");
        if (max_hops > MAX_HOPS)
                ex_error ("max hops cannot be more than " _TEXT(MAX_HOPS));


-vladz.

Comment 1 Dmitry Butskoy 2009-11-02 10:30:59 UTC

Thanks a lot!

Comment 2 Dmitry Butskoy 2009-11-03 18:41:27 UTC

Fixed upstream.

Updated to 2.0.13

See http://kojipkgs.fedoraproject.org/packages/traceroute/2.0.13/1.fc13/

Note You need to log in before you can comment on or make changes to this bug.