>Date:	Sat, 13 Jun 1998 17:28:41 -0700 (PDT)
>From:	Kevin Vajk <kvajk@ricochet.net>
>To:	bugs@openbsd.org
>Subject: Buffer overflow in traceroute
>MIME-Version: 1.0
>Sender: owner-bugs@openbsd.org
>
>
>(Yes, I know it drops privileges immediately.  But since it holds a raw
>socket, it's a security liability.  Besides, this is really in some
>ways a remote attack, so it matters even to non-setuid programs.)
>
>On the newly-formed Linux security audit project I've been participating
>in, Chris Evans pointed out the danger of mistrusting information returned
>from remote nameservers.  In particular, the h_length structure.
>
>Consider the following two lines from OpenBSD's traceroute.c:
>    memcpy(&gateway[lsrr], hp->h_addr, hp->h_length)
>and
>    memcpy(&to.sin_addr, hp->h_addr, hp->h_length);
>
>This is like using strncpy(), only the *remote* nameserver is dictating
>how many bytes to copy.  It should be changed to use the sizeof operator,
>instead.  Something like:
>    memcpy(dest, hp-h_addr, sizeof(dest));
>
>(I recommend grep'ing for h_length on your source tree.  We've been doing
>it for Linux, and it's depressing what's been turning up.)
>
>Anyhow, thanks for all your work on making OpenBSD so secure.  It's a real
>inspiration.  (And it's finally a proof-of-concept of the common-sense
>idea that proactive security really is the best.)
>
>Thanks!
>
>- Kevin Vajk
>  <kvajk@ricochet.net>
>