Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: traceroute-4.4BSD (slack) heap overflow

From: Heinrich Langos <heinrich () WH9 TU-DRESDEN DE>
Date: Fri, 5 Jan 2001 19:24:45 +0100
On Thu, Jan 04, 2001 at 06:08:03PM -0800, Cristi Dumitrescu wrote:

Hi,

A while ago I was studying the source code for this traceroute... I found
this in the inetname function:

...
        static char line[50];
...
        if (cp)
                (void) strcpy(line, cp);
        else {
...

The cp variable holds at that point the hostname for the current host it's
tracing.


is that the hostname given on the commandline or the hostname as it is
resolved along the way ?

if it is the second you could *maybe* expliot it if you are the
administrator of a DNS server. making all those suckers pay for
resolving your ip adress :-)

no seriously. i'm not sure if the length is not limited by the average
libresov or by the dns protocol. but not checking the length is a big
"NO NO" ... considering that traceroute runs SIUD root!

i'll download the sources of my traceroute and check if it also has
this line of code.

-heinrich
Previous By Date Next
Previous By Thread Next

Current thread: