Bug 239978 - Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet size check
Summary: Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet si...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Mark Johnston
URL:
Keywords: easy, needs-qa, security
Depends on:
Blocks:
 
Reported: 2019-08-19 23:09 UTC by Neeraj
Modified: 2020-12-01 15:10 UTC (History)
3 users (show)

See Also:
koobs: mfc-stable12?
koobs: mfc-stable11?


Attachments
proposed patch (517 bytes, patch)
2019-08-19 23:10 UTC, Neeraj
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neeraj 2019-08-19 23:09:25 UTC
Integer Overflow is observed in ping(8) command line option "-h".

* sbin/ping/ping.c:378

** "sweepincr = ltmp;" <= storing long value to int variable

providing "-h" with value 4294967295 will bypass the check at sbin/ping/ping.c:368 and will try to send packet with sweepincr value -1.

[Steps to reproduce]
* root@freebsd:/usr/src # ping -G 1 -h -1 localhost 
ping: invalid increment size: `-1'

* root@freebsd:/usr/src # ping -G 1 -h 4294967292 localhost
PING localhost (127.0.0.1): (0 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=0 ttl=64
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
^C
--- localhost ping statistics ---
7 packets transmitted, 1 packets received, 85.7% packet loss

[Impact]
Bypass the check for invalid increment size and will try to send packet with illegal increment size properties.

Note: root privilege is required.
Comment 1 Neeraj 2019-08-19 23:10:24 UTC
Created attachment 206716 [details]
proposed patch
Comment 2 Mark Johnston freebsd_committer 2020-07-11 17:13:31 UTC
https://reviews.freebsd.org/D25622
Comment 3 commit-hook freebsd_committer 2020-11-24 17:13:20 UTC
A commit references this bug:

Author: markj
Date: Tue Nov 24 17:12:41 UTC 2020
New revision: 367988
URL: https://svnweb.freebsd.org/changeset/base/367988

Log:
  ping(8): Improve parameter validation

  - Use strtonum(3) to simplify bounds checking of numeric parameters.
  - Fix bounds checking when filling out packet data in "sweep" mode.

  PR:		239974, 239977, 239978
  Reported by:	Neeraj <neerajpal09@gmail.com>
  MFC after:	1 week
  Differential Revision:	https://reviews.freebsd.org/D25622

Changes:
  head/sbin/ping/ping.c
Comment 4 commit-hook freebsd_committer 2020-12-01 15:09:08 UTC
A commit references this bug:

Author: markj
Date: Tue Dec  1 15:09:03 UTC 2020
New revision: 368231
URL: https://svnweb.freebsd.org/changeset/base/368231

Log:
  MFC r367988:
  ping(8): Improve parameter validation

  PR:	239974, 239977, 239978

Changes:
_U  stable/12/
  stable/12/sbin/ping/ping.c