Bugtraq mailing list archives
Re: Very interesting traceroute flaw
From: pedward () WEBCOM COM
Date: Fri, 29 Sep 2000 09:51:02 -0700
What is causing the segmentation fault is freeing of unallocated memory, not the fact that you are calling free in the middle of a chunk of malloced memory. This code will produce SIGBUS on solaris and other hardware that supports a misaligned access exceptions. I have downloaded the sources and done the work: The second -g 1 causes a free() on an unallocated pointer. The problem is that the second 'savestr' doesn't actually allocate a chunk of memory for hi->name, so when free is called against the bogus pointer it segfaults in chunk_free. The hi->name is actually written to an unallocated, but unused portion of the heap. If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY surprised. savestr is only used in gethostinfo, totally innocuous. --Perry
traceroute -g 1 -g 1 (I think it didn't need a hostname) Segmentation fault Looking at the code, there is a file "savestr.c", which contains a function savestr(). This savestr() function is essentially a strdup() function, but with the difference that an attempt is made to cut down on the number of malloc() calls. This is accomplished by malloc()'ing a large block and handing out pointers _inside_ this block as savestr() is repeatedly called. So where does this all go wrong? Unfortunately, the clients of the savestr() method seemed to treat savestr() like it was strdup() - i.e. all pointers returned must be free()'d or you have a leak. This is not the case, so we have the flaw: free() called on a pointer not allocated by malloc().
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Current thread:
- Very interesting traceroute flaw Chris Evans (Sep 29)
- Re: Very interesting traceroute flaw Sylvain Robitaille (Sep 29)
- Re: Very interesting traceroute flaw Martin Peikert (Sep 29)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Casper Dik (Sep 29)
- Re: Very interesting traceroute flaw pedward (Sep 30)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Elias Levy (Sep 30)