Subject: FYI: Buffer overflow in traceroute
To: None <tech-security@NetBSD.ORG>
From: Erik E. Fair <>
List: tech-security
Date: 06/13/1998 17:41:05
>Date:	Sat, 13 Jun 1998 17:28:41 -0700 (PDT)
>From:	Kevin Vajk <>
>Subject: Buffer overflow in traceroute
>MIME-Version: 1.0
>(Yes, I know it drops privileges immediately.  But since it holds a raw
>socket, it's a security liability.  Besides, this is really in some
>ways a remote attack, so it matters even to non-setuid programs.)
>On the newly-formed Linux security audit project I've been participating
>in, Chris Evans pointed out the danger of mistrusting information returned
>from remote nameservers.  In particular, the h_length structure.
>Consider the following two lines from OpenBSD's traceroute.c:
>    memcpy(&gateway[lsrr], hp->h_addr, hp->h_length)
>    memcpy(&to.sin_addr, hp->h_addr, hp->h_length);
>This is like using strncpy(), only the *remote* nameserver is dictating
>how many bytes to copy.  It should be changed to use the sizeof operator,
>instead.  Something like:
>    memcpy(dest, hp-h_addr, sizeof(dest));
>(I recommend grep'ing for h_length on your source tree.  We've been doing
>it for Linux, and it's depressing what's been turning up.)
>Anyhow, thanks for all your work on making OpenBSD so secure.  It's a real
>inspiration.  (And it's finally a proof-of-concept of the common-sense
>idea that proactive security really is the best.)
>- Kevin Vajk
>  <>