Bug 239977

Summary: Integer Overflow: ping(8) option "-G" and "-g", bypass the invalid sweepmax and sweepmin packet size check
Product: Base System Reporter: Neeraj <neerajpal09>
Component: binAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Some People CC: markj, neerajpal09, secteam
Priority: --- Keywords: easy, needs-qa, security
Version: CURRENTFlags: koobs: mfc-stable12?
koobs: mfc-stable11?
Hardware: Any   
OS: Any   
Attachments:
Description Flags
proposed patch none

Description Neeraj 2019-08-19 23:06:24 UTC
Integer Overflow is observed in ping(8) command line option "-G" and option "-g".

* sbin/ping/ping.c:350 (-G) and sbin/ping/ping.c:364 (-g)

** "sweepmax = ltmp;" & "sweepmin = ltmp;" <= storing long value to int variable

providing option "-G" with value 4294967297 and "-g" with 4294967292, will bypass the check at sbin/ping/ping.c:339 and at sbin/ping/ping.c:354 and will try to send packet with illegal range like (-4 ... 1) data bytes

[Steps to reproduce]

* root@freebsd:/usr/src/sbin/ping # ping -G 5 -g -1 localhost 
ping: invalid packet size: `-1'

* root@freebsd:/usr/src/sbin/ping # ping -G 4294967297 -g 4294967292 localhost
PING localhost (127.0.0.1): (-4 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=4 ttl=64
9 bytes from 127.0.0.1: icmp_seq=5 ttl=64

--- localhost ping statistics ---
6 packets transmitted, 2 packets received, 66.7% packet loss

[Impact]
Bypass the check for invalid packet size and will try to send packet with illegal sweepmax and sweepmin size properties.

Note: root privilege is required.
Comment 1 Neeraj 2019-08-19 23:07:23 UTC
Created attachment 206715 [details]
proposed patch
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2020-07-11 17:13:26 UTC
https://reviews.freebsd.org/D25622
Comment 3 commit-hook freebsd_committer freebsd_triage 2020-11-24 17:13:19 UTC
A commit references this bug:

Author: markj
Date: Tue Nov 24 17:12:40 UTC 2020
New revision: 367988
URL: https://svnweb.freebsd.org/changeset/base/367988

Log:
  ping(8): Improve parameter validation

  - Use strtonum(3) to simplify bounds checking of numeric parameters.
  - Fix bounds checking when filling out packet data in "sweep" mode.

  PR:		239974, 239977, 239978
  Reported by:	Neeraj <neerajpal09@gmail.com>
  MFC after:	1 week
  Differential Revision:	https://reviews.freebsd.org/D25622

Changes:
  head/sbin/ping/ping.c
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-12-01 15:09:07 UTC
A commit references this bug:

Author: markj
Date: Tue Dec  1 15:09:03 UTC 2020
New revision: 368231
URL: https://svnweb.freebsd.org/changeset/base/368231

Log:
  MFC r367988:
  ping(8): Improve parameter validation

  PR:	239974, 239977, 239978

Changes:
_U  stable/12/
  stable/12/sbin/ping/ping.c