Integer Overflow is observed in ping(8) command line option "-G" and option "-g". * sbin/ping/ping.c:350 (-G) and sbin/ping/ping.c:364 (-g) ** "sweepmax = ltmp;" & "sweepmin = ltmp;" <= storing long value to int variable providing option "-G" with value 4294967297 and "-g" with 4294967292, will bypass the check at sbin/ping/ping.c:339 and at sbin/ping/ping.c:354 and will try to send packet with illegal range like (-4 ... 1) data bytes [Steps to reproduce] * root@freebsd:/usr/src/sbin/ping # ping -G 5 -g -1 localhost ping: invalid packet size: `-1' * root@freebsd:/usr/src/sbin/ping # ping -G 4294967297 -g 4294967292 localhost PING localhost (127.0.0.1): (-4 ... 1) data bytes 8 bytes from 127.0.0.1: icmp_seq=4 ttl=64 9 bytes from 127.0.0.1: icmp_seq=5 ttl=64 --- localhost ping statistics --- 6 packets transmitted, 2 packets received, 66.7% packet loss [Impact] Bypass the check for invalid packet size and will try to send packet with illegal sweepmax and sweepmin size properties. Note: root privilege is required.
Created attachment 206715 [details] proposed patch
https://reviews.freebsd.org/D25622
A commit references this bug: Author: markj Date: Tue Nov 24 17:12:40 UTC 2020 New revision: 367988 URL: https://svnweb.freebsd.org/changeset/base/367988 Log: ping(8): Improve parameter validation - Use strtonum(3) to simplify bounds checking of numeric parameters. - Fix bounds checking when filling out packet data in "sweep" mode. PR: 239974, 239977, 239978 Reported by: Neeraj <neerajpal09@gmail.com> MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25622 Changes: head/sbin/ping/ping.c
A commit references this bug: Author: markj Date: Tue Dec 1 15:09:03 UTC 2020 New revision: 368231 URL: https://svnweb.freebsd.org/changeset/base/368231 Log: MFC r367988: ping(8): Improve parameter validation PR: 239974, 239977, 239978 Changes: _U stable/12/ stable/12/sbin/ping/ping.c