An out-of-bounds read exists in traceroute/traceroute.c. After recvmsg() returns, bufp is advanced past the IPv4 header (bufp += hlen) but n is not decremented accordingly. The subsequent call: handle_extensions(pb, bufp + offs, n - offs, step); passes a len value that is hlen bytes (20 for IPv4, 40 for IPv6) larger than the actual data available from bufp + offs. This causes the MPLS extension parser to read past the received packet boundary into uninitialized stack memory within buf[1280]. The vulnerability is remotely triggerable by any on-path network device that can send a crafted ICMP Time Exceeded response with MPLS extensions to a traceroute -e invocation.
| Vendor | Product | Versions |
|---|---|---|
| the traceroute project | traceroute | 2.1.2, 2.1.6, 2.1.1 |
Added affected version 2.1.1 based on the new article.
Updated description with detailed technical information and marked the vulnerability as actively exploited.
Initial creation
