Date: Mon, 19 Aug 2019 22:59:01 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239976] Integer Overflow: ping(8) option "-s", bypass the invalid packet size check Message-ID: <bug-239976-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239976 Bug ID: 239976 Summary: Integer Overflow: ping(8) option "-s", bypass the invalid packet size check Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com Integer Overflow is observed in ping(8) command line option "-s". * sbin/ping/ping.c:485 ** "datalen =3D ltmp;" <=3D storing long value to int value providing "-s" with value 4294967295 will bypass the check at sbin/ping/ping.c:475 and will try to send packet with size -1. [Steps to reproduce] * root@freebsd:/usr/src/sbin/ping # ping -c 2 -s -1 localhost ping: invalid packet size: `-1' * root@freebsd:/usr/src/sbin/ping # ping -c 2 -s 4294967295 localhost PING localhost (127.0.0.1): -1 data bytes --- localhost ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [Impact] Bypass the check for invalid packet size and will try to send packet with illegal size properties. Note: root privilege is required. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239976-227>