Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Very interesting traceroute flaw
From: pedward () WEBCOM COM
Date: Fri, 29 Sep 2000 09:51:02 -0700

What is causing the segmentation fault is freeing of unallocated memory, not
the fact that you are calling free in the middle of a chunk of malloced
memory.  This code will produce SIGBUS on solaris and other hardware that
supports a misaligned access exceptions.

I have downloaded the sources and done the work:

The second -g 1 causes a free() on an unallocated pointer.  The problem
is that the second 'savestr' doesn't actually allocate a chunk of memory
for hi->name, so when free is called against the bogus pointer it segfaults
in chunk_free.  The hi->name is actually written to an unallocated, but unused
portion of the heap.

If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY
surprised.  savestr is only used in gethostinfo, totally innocuous.


traceroute -g 1 -g 1       (I think it didn't need a hostname)
Segmentation fault

Looking at the code, there is a file "savestr.c", which contains a
function savestr(). This savestr() function is essentially a
strdup() function, but with the difference that an attempt is made to cut
down on the number of malloc() calls. This is accomplished by malloc()'ing
a large block and handing out pointers _inside_ this block as savestr() is
repeatedly called.

So where does this all go wrong? Unfortunately, the clients of the
savestr() method seemed to treat savestr() like it was strdup() - i.e. all
pointers returned must be free()'d or you have a leak. This is not the
case, so we have the flaw: free() called on a pointer not allocated by

Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]