FreeBSD Bugzilla – Attachment 206713 Details for
Bug 239975
ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
file_239975.txt (text/plain), 1.75 KB, created by
Neeraj
on 2019-08-19 21:50:28 UTC
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Neeraj
Created:
2019-08-19 21:50:28 UTC
Size:
1.75 KB
patch
obsolete
>Index: sbin/ping/ping.c >=================================================================== >--- sbin/ping/ping.c (revision 351232) >+++ sbin/ping/ping.c (working copy) >@@ -1048,13 +1048,13 @@ > cc = ICMP_MINLEN + phdr_len + datalen; > > /* compute ICMP checksum here */ >- icp->icmp_cksum = in_cksum((u_char *)icp, cc); >+ icp->icmp_cksum = in_cksum((u_char *)icp, sizeof(struct ip), IP_MAXPACKET, cc); > > if (options & F_HDRINCL) { > cc += sizeof(struct ip); > ip = (struct ip *)outpackhdr; > ip->ip_len = htons(cc); >- ip->ip_sum = in_cksum(outpackhdr, cc); >+ ip->ip_sum = in_cksum(outpackhdr, sizeof(struct ip), IP_MAXPACKET, cc); > packet = outpackhdr; > } > i = send(ssend, (char *)packet, cc, 0); >Index: sbin/ping/utils.c >=================================================================== >--- sbin/ping/utils.c (revision 351232) >+++ sbin/ping/utils.c (working copy) >@@ -55,7 +55,7 @@ > * Checksum routine for Internet Protocol family headers (C Version) > */ > u_short >-in_cksum(u_char *addr, int len) >+in_cksum(u_char *addr, size_t ipstructsize, int ip_maxpacket, int len) > { > int nleft, sum; > u_char *w; >@@ -74,7 +74,7 @@ > * sequential 16 bit words to it, and at the end, fold back all the > * carry bits from the top 16 bits into the lower 16 bits. > */ >- while (nleft > 1) { >+ while ((nleft > 1) && (w < &addr[ip_maxpacket - ipstructsize - sizeof(u_short)])) { > u_short data; > > memcpy(&data, w, sizeof(data)); >Index: sbin/ping/utils.h >=================================================================== >--- sbin/ping/utils.h (revision 351232) >+++ sbin/ping/utils.h (working copy) >@@ -33,6 +33,6 @@ > > #include <sys/types.h> > >-u_short in_cksum(u_char *, int); >+u_short in_cksum(u_char *, size_t, int, int); > > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=206713">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 239975
:
206713
|
211225
|
216784