Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2

[Dmitry Butskoy <buc () buc spb ru>]

Thanks for the report. I'll review it in the next few hours.


MOHAMED AZIZ RAHMOUNI wrote:
> Hello,
>
> I am reporting a security vulnerability I discovered in traceroute 
> 2.1.2 during manual code review and dynamic fuzzing.
>
> Summary:
> An out-of-bounds read exists in traceroute/traceroute.c. After 
> recvmsg() returns, bufp is advanced past the IPv4 header (bufp += 
> hlen) but n is not decremented accordingly. The subsequent call:
>
>     handle_extensions(pb, bufp + offs, n - offs, step);
>
> passes a len value that is hlen bytes (20 for IPv4, 40 for IPv6) 
> larger than the actual data available from bufp + offs. This causes 
> the MPLS extension parser to read past the received packet boundary 
> into uninitialized stack memory within buf[1280].
>
> The vulnerability is remotely triggerable by any on-path network 
> device that can send a crafted ICMP Time Exceeded response with MPLS 
> extensions to a traceroute -e invocation. I have confirmed the issue 
> with a working proof of concept.
>
> Proposed fix (single line addition after line 1427):
>
>     bufp += hlen;
>     n -= hlen;   // add this line
>
> I have attached a full technical report including root cause analysis, 
> proof of concept code, memory layout analysis, and impact assessment.
>
> I am following a 90-day responsible disclosure policy. I intend to 
> publish details publicly on 2026-07-27 unless a patch is available 
> sooner, at which point I will coordinate the disclosure timeline with you.
>
> Please confirm receipt of this report.
>
> Regards,
> Security researcher Zyyz
>
> Mohamed Aziz Rahmouni