Integer Overflow is observed in ping(8) command line option "-s". * sbin/ping/ping.c:485 ** "datalen = ltmp;" <= storing long value to int value providing "-s" with value 4294967295 will bypass the check at sbin/ping/ping.c:475 and will try to send packet with size -1. [Steps to reproduce] * root@freebsd:/usr/src/sbin/ping # ping -c 2 -s -1 localhost ping: invalid packet size: `-1' * root@freebsd:/usr/src/sbin/ping # ping -c 2 -s 4294967295 localhost PING localhost (127.0.0.1): -1 data bytes --- localhost ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [Impact] Bypass the check for invalid packet size and will try to send packet with illegal size properties. Note: root privilege is required.
Created attachment 206714 [details] proposed patch
A commit references this bug: Author: markj Date: Sat Jul 11 17:10:16 UTC 2020 New revision: 363102 URL: https://svnweb.freebsd.org/changeset/base/363102 Log: ping(8): Check for integer truncation when handling the value for -s. PR: 239976 Submitted by: Neeraj <neerajpal09@gmail.com> MFC after: 1 week Event: July 2020 Bugathon Changes: head/sbin/ping/ping.c
A commit references this bug: Author: markj Date: Mon Jul 20 13:37:15 UTC 2020 New revision: 363365 URL: https://svnweb.freebsd.org/changeset/base/363365 Log: MFC r363102: ping(8): Check for integer truncation when handling the value for -s. PR: 239976 Changes: _U stable/12/ stable/12/sbin/ping/ping.c
Thanks for the report and patch.
(In reply to Mark Johnston from comment #4) Thank you for the review and commit.