Re: traceroute-4.4BSD (slack) heap overflow

[Olaf Kirch <okir () CALDERA DE>]

On Thu, Jan 04, 2001 at 06:08:03PM -0800, Cristi Dumitrescu wrote:
> A while ago I was studying the source code for this traceroute... I found
> this in the inetname function:

This is old old old old old. We patched this hole something like
two or three years ago, and I'd be very surprised if this was
still in recent traceroute code on Slackware.

Addressing some of the FUD that has been posted in response to this
query:

 a.     DNS queries are not limited to UDP datagrams. A malicious
        DNS server can force a client to fall back to DNS over TCP

 b.     The _protocol_ limits DNS host names to 255 characters, but
        resolver implementations may or may not enforce that limit.
        Older Linux libc5 didn't (it would grok up to 1300-odd bytes
        in PTR records), recent glibc does but may blow up the name to
        up to 1020 bytes by printing non-ASCII characters as \xxx.

 c.     The RESOLV_HOST_CONF variable is *not* used to specifiy
        a replacment for /etc/hosts, but for /etc/host.conf, which
        configures the resolver. Apart from that, it's been quite a
        while since the resolver library honored this variable in
        setuid programs.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.