Bug 239976 - Integer Overflow: ping(8) option "-s", bypass the invalid packet size check
Summary: Integer Overflow: ping(8) option "-s", bypass the invalid packet size check
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Johnston
URL:
Keywords: easy, needs-qa
Depends on:
Blocks:
 
Reported: 2019-08-19 22:59 UTC by Neeraj
Modified: 2020-07-26 18:05 UTC (History)
3 users (show)

See Also:
markj: mfc-stable12+


Attachments
proposed patch (476 bytes, patch)
2019-08-19 23:00 UTC, Neeraj
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neeraj 2019-08-19 22:59:01 UTC
Integer Overflow is observed in ping(8) command line option "-s".

* sbin/ping/ping.c:485

** "datalen = ltmp;" <= storing long value to int value

providing "-s" with value 4294967295 will bypass the check at sbin/ping/ping.c:475 and will try to send packet with size -1.

[Steps to reproduce]
* root@freebsd:/usr/src/sbin/ping # ping -c 2 -s -1 localhost
ping: invalid packet size: `-1'

* root@freebsd:/usr/src/sbin/ping # ping -c 2 -s 4294967295 localhost
PING localhost (127.0.0.1): -1 data bytes

--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

[Impact]
Bypass the check for invalid packet size and will try to send packet with illegal size properties.

Note: root privilege is required.
Comment 1 Neeraj 2019-08-19 23:00:08 UTC
Created attachment 206714 [details]
proposed patch
Comment 2 commit-hook freebsd_committer 2020-07-11 17:10:42 UTC
A commit references this bug:

Author: markj
Date: Sat Jul 11 17:10:16 UTC 2020
New revision: 363102
URL: https://svnweb.freebsd.org/changeset/base/363102

Log:
  ping(8): Check for integer truncation when handling the value for -s.

  PR:		239976
  Submitted by:	Neeraj <neerajpal09@gmail.com>
  MFC after:	1 week
  Event:		July 2020 Bugathon

Changes:
  head/sbin/ping/ping.c
Comment 3 commit-hook freebsd_committer 2020-07-20 13:38:18 UTC
A commit references this bug:

Author: markj
Date: Mon Jul 20 13:37:15 UTC 2020
New revision: 363365
URL: https://svnweb.freebsd.org/changeset/base/363365

Log:
  MFC r363102:
  ping(8): Check for integer truncation when handling the value for -s.

  PR:	239976

Changes:
_U  stable/12/
  stable/12/sbin/ping/ping.c
Comment 4 Mark Johnston freebsd_committer 2020-07-20 13:39:30 UTC
Thanks for the report and patch.
Comment 5 Neeraj 2020-07-26 18:05:47 UTC
(In reply to Mark Johnston from comment #4)

Thank you for the review and commit.