tech-net: Re: FYI: Buffer overflow in traceroute

Subject: Re: FYI: Buffer overflow in traceroute
To: None <tech-security@NetBSD.ORG, tech-net@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 06/14/1998 17:37:23
[Note: adding tech-net, since this thread seems to be heading more
thataway, IMO - please check the recipient list if replying.]

> gethostby{name,addr} and getnet* are better places to fix this sort
> of thing.  They shouldn't, imho, return addresses lengths > 4.

I strongly disagree.

> IPng uses a gethostbyname2 for this sort of thing.

I disagree with that choice too.

IMO, gethostbyname should return a list of addresses.  Each address
should be tagged with an AF_ type (yes, this would be an interface
change, but no worse than the one involved when going from h_addr to
h_addr_list).  Code should _always_ check that the address type is not
something unexpected (this is rudimentary defensive programming).

IMO the h_length field is basically useless, even if expanded to a
per-address array a la what I'd like to see done with h_addrtype...at
least unless the networking APIs are *much* expanded, with (at a
minimum) a call to allocate a struct sockaddr variant given the AF_
value for it, a call to copy the address into the correct place in it
based on a run-time-provided AF_ value, and some way of resolving the
issue of finer-grained addressing.  (What do I mean by "finer-grained
addressing"?  In IPv4, UDP and TCP port numbers.  I think IPv6
similarly uses small integers.  I believe DECnet uses (length-limited?)
strings.  I don't recall what CHAOSnet or XNS or ISO/OSI use, if I ever
knew.  *By definition* I can't predict what the next real innovation to
come down the pike will use.  This is the problem: it has to handle
AF-dependent data in an AF-independent way.)

> the gethostbyname man page implies that it only looks up AF_INET
> addresses, which are, by definition, 4 bytes long.

Well...by definition they contain exactly 32 bits of information.
sizeof(struct in_addr) may be as small as 1 (eg, on machines like DSPs
where char, short, int, long, are all 32 bits) or more than 4 (eg, on a
64-bit machine (with 8-bit chars) where the implementor decided to pad
to the word size for ease of implementation).

As for the man page "impl[ying]" that...well, it depends on the manpage
in question.  NetBSD gethostbyname.3 1.11 doesn't just "impl[y]" it; it
outright states it - but does so in language that implies that that
fact should not be depended upon:

.It Fa h_aliases
A NULL-terminated array of alternative names for the host.
.It Fa h_addrtype
The type of address being returned; currently always
.Dv AF_INET .
[...]
.Sh BUGS
[...]
Only the Internet
address format is currently understood.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B