188351 – [patch] ping6(8): fix crash on boundary value operation

Bug 188351 - [patch] ping6(8): fix crash on boundary value operation

Summary: [patch] ping6(8): fix crash on boundary value operation

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2014-04-07 15:40 UTC by Balaaji SP
Modified:	2022-10-17 12:40 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Balaaji SP 2014-04-07 15:40:00 UTC

Ping6 application crashes when executed with maximum packet data size option.
Maximum allowed data bytes length should be 130768 and not 131024. EXTRA bytes is not accounted
while calculating packet length.

This happens because memory gets over-written by 256 bytes beyond the outpack buffer in to memory arena.

Fix: 

Account EXTRA bytes in packet length.

freebsd/sbin/ping6/ping6.c	

- #define MAXDATALEN      MAXPACKETLEN - IP6LEN - ICMP6ECHOLEN
+#define MAXDATALEN	MAXPACKETLEN - IP6LEN - ICMP6ECHOLEN - EXTRA
How-To-Repeat: Execute Ping6 with -s option with a value of 131024. Verify if the application has crashed.

Comment 1 Eitan Adler freebsd_committer

2017-12-31 07:59:18 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 2 Graham Perrin freebsd_committer

2022-10-17 12:40:51 UTC

Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>