Re: Very interesting traceroute flaw

[pedward () WEBCOM COM]

What is causing the segmentation fault is freeing of unallocated memory, not
the fact that you are calling free in the middle of a chunk of malloced
memory.  This code will produce SIGBUS on solaris and other hardware that
supports a misaligned access exceptions.

I have downloaded the sources and done the work:

The second -g 1 causes a free() on an unallocated pointer.  The problem
is that the second 'savestr' doesn't actually allocate a chunk of memory
for hi->name, so when free is called against the bogus pointer it segfaults
in chunk_free.  The hi->name is actually written to an unallocated, but unused
portion of the heap.

If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY
surprised.  savestr is only used in gethostinfo, totally innocuous.

--Perry

> traceroute -g 1 -g 1       (I think it didn't need a hostname)
> Segmentation fault
>
> Looking at the code, there is a file "savestr.c", which contains a
> function savestr(). This savestr() function is essentially a
> strdup() function, but with the difference that an attempt is made to cut
> down on the number of malloc() calls. This is accomplished by malloc()'ing
> a large block and handing out pointers _inside_ this block as savestr() is
> repeatedly called.
>
> So where does this all go wrong? Unfortunately, the clients of the
> savestr() method seemed to treat savestr() like it was strdup() - i.e. all
> pointers returned must be free()'d or you have a leak. This is not the
> case, so we have the flaw: free() called on a pointer not allocated by
> malloc().

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\