Subject: bin/7700: Host/Network byte order problem in traceroute for PMTU discovery
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jarle@runit.sintef.no>
List: netbsd-bugs
Date: 06/04/1999 09:05:57
>Number:         7700
>Category:       bin
>Synopsis:       Host/Network byte order problem in traceroute for PMTU discovery
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun  4 09:05:00 1999
>Last-Modified:
>Originator:     Jarle Greipsland
>Organization:
	
>Release:        NetBSD-1.4
>Environment:
	
System: NetBSD natteravn.runit.sintef.no 1.4 NetBSD 1.4 (NATTERAVN) #0: Thu May 6 19:05:04 MEST 1999 root@natteravn.runit.sintef.no:/usr/src/sys/arch/i386/compile/NATTERAVN i386


>Description:
traceroute on an i386 (and I suspect any little endian system) may
experience a segmentation fault when receiving ICMP fragmentation needed
packets.  This is due to a missing ntohs().  Diff below.

The enclosed diff only fixes the immediate problem.  More seriously is the
fact that the program unconditionally trusts the data it received from the
network.  Someone may want to look into this in more depth (traceroute is
after all setuid root).
	
>How-To-Repeat:

Use the -P flag with traceroute on a little endian host for a route where
the size of the transmitted packages will exceed the MTU of at least one of
the links.

	
>Fix:
	

*** traceroute.c.orig	Fri Jun  4 17:43:34 1999
--- traceroute.c	Fri Jun  4 17:46:18 1999
***************
*** 1182,1186 ****
  		hlen = hip->ip_hl << 2;
  
! 		nextmtu = icp->icmp_nextmtu;	/* for frag_err() */
  			
  		if (useicmp) {
--- 1182,1186 ----
  		hlen = hip->ip_hl << 2;
  
! 		nextmtu = ntohs(icp->icmp_nextmtu);	/* for frag_err() */
  			
  		if (useicmp) {
>Audit-Trail:
>Unformatted: