[SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2

[MOHAMED AZIZ RAHMOUNI <mohamedaziz.rahmouni () insat ucar tn>]

Hello,

I am reporting a security vulnerability I discovered in traceroute 2.1.2
during manual code review and dynamic fuzzing.

Summary:
An out-of-bounds read exists in traceroute/traceroute.c. After recvmsg()
returns, bufp is advanced past the IPv4 header (bufp += hlen) but n is not
decremented accordingly. The subsequent call:

    handle_extensions(pb, bufp + offs, n - offs, step);

passes a len value that is hlen bytes (20 for IPv4, 40 for IPv6) larger
than the actual data available from bufp + offs. This causes the MPLS
extension parser to read past the received packet boundary into
uninitialized stack memory within buf[1280].

The vulnerability is remotely triggerable by any on-path network device
that can send a crafted ICMP Time Exceeded response with MPLS extensions to
a traceroute -e invocation. I have confirmed the issue with a working proof
of concept.

Proposed fix (single line addition after line 1427):

    bufp += hlen;
    n -= hlen;   // add this line

I have attached a full technical report including root cause analysis,
proof of concept code, memory layout analysis, and impact assessment.

I am following a 90-day responsible disclosure policy. I intend to publish
details publicly on 2026-07-27 unless a patch is available sooner, at which
point I will coordinate the disclosure timeline with you.

Please confirm receipt of this report.

Regards,
Security researcher Zyyz

Mohamed Aziz Rahmouni

Attachment: traceroute_vuln_report.pdf
Description: