From pb@fasterix.frmug.org  Mon Jul 16 10:33:12 2001
Return-Path: <pb@fasterix.frmug.org>
Received: from fasterix.frmug.org (d211.dhcp212-198-74.noos.fr [212.198.74.211])
	by hub.freebsd.org (Postfix) with ESMTP id 6B77E37B407
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Jul 2001 10:33:05 -0700 (PDT)
	(envelope-from pb@fasterix.frmug.org)
Received: (from pb@localhost)
	by fasterix.frmug.org (8.11.3/8.9.3/pb-19990315) id f6GHX1Z17088;
	Mon, 16 Jul 2001 19:33:01 +0200 (CEST)
Message-Id: <200107161733.f6GHX1Z17088@fasterix.frmug.org>
Date: Mon, 16 Jul 2001 19:33:01 +0200 (CEST)
From: Pierre Beyssac <pb@fasterix.freenix.org>
Reply-To: pb@fasterix.freenix.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: traceroute -s option allows IP spoofing for non-root
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         29026
>Category:       bin
>Synopsis:       traceroute -s option allows any IP address
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 16 10:40:00 PDT 2001
>Closed-Date:    Sat Apr 17 11:46:42 PDT 2004
>Last-Modified:  Sat Apr 17 11:46:42 PDT 2004
>Originator:     Pierre Beyssac
>Release:        FreeBSD 2, 3, 4, 5
>Organization:
individual
>Environment:

traceroute -s option doesn't check that the provided source address
exists on the host, even when not running as root.

I believe this used to be checked by the bind() call below, but
this code is not activated anymore and has not been for a long
time, and even reactivating it doesn't seem to fix the problem.

This has been broken since FreeBSD 2.2.6 at least (oldest release
I have access to).

I'll be working on a fix unless someone beats me to it.

#ifndef IP_HDRINCL
                if (bind(sndsock, (struct sockaddr *)&from, sizeof(from)) < 0) {
                        Fprintf(stderr, "%s: bind: %s\n",
                            prog, strerror(errno));
                        exit (1);
                }
#endif

Pierre
>Description:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:

From: Pierre Beyssac <pb@fasterix.freenix.org>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc:  
Subject: bin/29026: fix for traceroute
Date: Mon, 13 Aug 2001 21:45:26 +0200

 ----- Forwarded message from Pierre Beyssac <pb@fasterix.freenix.org> -----
 
 Date: Mon, 16 Jul 2001 21:06:37 +0200
 From: Pierre Beyssac <pb@fasterix.freenix.org>
 To: freebsd-net@FreeBSD.ORG
 Cc: traceroute@ee.lbl.gov
 Subject: fix for traceroute (bin/29026)
 
 Could anyone check this fix for PR bin/29026 (traceroute -s option)?
 
 It just reenables the bind(2) call checking for the source address
 correctness, and moves the IP_HDRINCL after that (once IP_HDRINCL
 is enabled on the socket, bind doesn't check this anymore).
 
 It seems to work on my (very outdated) current as well as -stable,
 but I'm not able to check it on a recent -current, and although I
 have tested it with and without -s I may have missed some side
 effects with weird options combinations.
 
 If someone can confirm that this works, I can commit it.
 
 Index: traceroute.c
 ===================================================================
 RCS file: /home/ncvs/src/contrib/traceroute/traceroute.c,v
 retrieving revision 1.18
 diff -u -r1.18 traceroute.c
 --- traceroute.c	2001/06/06 16:12:59	1.18
 +++ traceroute.c	2001/07/16 18:53:44
 @@ -727,13 +727,6 @@
  		exit(1);
  	}
  #endif
 -#ifdef IP_HDRINCL
 -	if (setsockopt(sndsock, IPPROTO_IP, IP_HDRINCL, (char *)&on,
 -	    sizeof(on)) < 0) {
 -		Fprintf(stderr, "%s: IP_HDRINCL: %s\n", prog, strerror(errno));
 -		exit(1);
 -	}
 -#endif
  	if (options & SO_DEBUG)
  		(void)setsockopt(sndsock, SOL_SOCKET, SO_DEBUG, (char *)&on,
  		    sizeof(on));
 @@ -744,14 +737,19 @@
  	if (source != NULL) {
  		source = savestr(getsin(&from, source));
  		outip->ip_src = from.sin_addr;
 -#ifndef IP_HDRINCL
  		if (bind(sndsock, (struct sockaddr *)&from, sizeof(from)) < 0) {
  			Fprintf(stderr, "%s: bind: %s\n",
  			    prog, strerror(errno));
  			exit (1);
  		}
 -#endif
  	}
 +#ifdef IP_HDRINCL
 +	if (setsockopt(sndsock, IPPROTO_IP, IP_HDRINCL, (char *)&on,
 +	    sizeof(on)) < 0) {
 +		Fprintf(stderr, "%s: IP_HDRINCL: %s\n", prog, strerror(errno));
 +		exit(1);
 +	}
 +#endif
  
  #if	defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
  	if (setpolicy(sndsock, "in bypass") < 0)
 
 -- 
 Pierre Beyssac	      pb@fasterix.frmug.org pb@fasterix.freenix.org
        Why write portable code when you can write Linux code?
     Free domains: http://www.eu.org/ or mail dns-manager@EU.org
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-net" in the body of the message
 
 ----- End forwarded message -----
Responsible-Changed-From-To: freebsd-bugs->pb 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 22:23:56 PDT 2003 
Responsible-Changed-Why:  
Assign this PR to pb to determine whether it is still valid 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29026 
State-Changed-From-To: open->closed 
State-Changed-By: pb 
State-Changed-When: Sat Apr 17 11:45:25 PDT 2004 
State-Changed-Why:  
Fix committed (in a simpler/shorter version). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29026 
>Unformatted:
