FreeBSD Bugzilla – Attachment 216784 Details for
Bug 239975
ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
latest modified patch as per the lastest code revision 363556 due to some variables modified
ping.diff (text/plain), 2.01 KB, created by
Neeraj
on 2020-07-26 17:40:52 UTC
(
hide
)
Description:
latest modified patch as per the lastest code revision 363556 due to some variables modified
Filename:
MIME Type:
Creator:
Neeraj
Created:
2020-07-26 17:40:52 UTC
Size:
2.01 KB
patch
obsolete
>Index: sbin/ping/ping.c >=================================================================== >--- sbin/ping/ping.c (revision 363566) >+++ sbin/ping/ping.c (working copy) >@@ -1066,7 +1066,7 @@ > cc = ICMP_MINLEN + phdr_len + datalen; > > /* compute ICMP checksum here */ >- icp.icmp_cksum = in_cksum(outpack, cc); >+ icp.icmp_cksum = in_cksum(outpack, sizeof(struct icmp), IP_MAXPACKET, cc); > /* Update icmp_cksum in the raw packet data buffer. */ > memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum, > sizeof(icp.icmp_cksum)); >@@ -1079,7 +1079,7 @@ > /* Update ip_len in the raw packet data buffer. */ > memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len, > sizeof(ip.ip_len)); >- ip.ip_sum = in_cksum(outpackhdr, cc); >+ ip.ip_sum = in_cksum(outpackhdr, sizeof(struct ip), IP_MAXPACKET, cc); > /* Update ip_sum in the raw packet data buffer. */ > memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum, > sizeof(ip.ip_sum)); >Index: sbin/ping/utils.c >=================================================================== >--- sbin/ping/utils.c (revision 363566) >+++ sbin/ping/utils.c (working copy) >@@ -55,7 +55,7 @@ > * Checksum routine for Internet Protocol family headers (C Version) > */ > u_short >-in_cksum(u_char *addr, int len) >+in_cksum(u_char *addr, size_t struct_size, int ip_maxpacket, int len) > { > int nleft, sum; > u_char *w; >@@ -74,7 +74,7 @@ > * sequential 16 bit words to it, and at the end, fold back all the > * carry bits from the top 16 bits into the lower 16 bits. > */ >- while (nleft > 1) { >+ while ((nleft > 1) && (w < &addr[ip_maxpacket - struct_size - sizeof(u_short)])) { > u_short data; > > memcpy(&data, w, sizeof(data)); >Index: sbin/ping/utils.h >=================================================================== >--- sbin/ping/utils.h (revision 363566) >+++ sbin/ping/utils.h (working copy) >@@ -33,6 +33,6 @@ > > #include <sys/types.h> > >-u_short in_cksum(u_char *, int); >+u_short in_cksum(u_char *, size_t, int, int); > > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=216784">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 239975
:
206713
|
211225
| 216784