Date: Mon, 19 Aug 2019 23:06:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239977] Integer Overflow: ping(8) option "-G" and "-g", bypass the invalid sweepmax and sweepmin packet size check Message-ID: <bug-239977-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239977 Bug ID: 239977 Summary: Integer Overflow: ping(8) option "-G" and "-g", bypass the invalid sweepmax and sweepmin packet size check Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com Integer Overflow is observed in ping(8) command line option "-G" and option "-g". * sbin/ping/ping.c:350 (-G) and sbin/ping/ping.c:364 (-g) ** "sweepmax = ltmp;" & "sweepmin = ltmp;" <= storing long value to int variable providing option "-G" with value 4294967297 and "-g" with 4294967292, will bypass the check at sbin/ping/ping.c:339 and at sbin/ping/ping.c:354 and will try to send packet with illegal range like (-4 ... 1) data bytes [Steps to reproduce] * root@freebsd:/usr/src/sbin/ping # ping -G 5 -g -1 localhost ping: invalid packet size: `-1' * root@freebsd:/usr/src/sbin/ping # ping -G 4294967297 -g 4294967292 localhost PING localhost (127.0.0.1): (-4 ... 1) data bytes 8 bytes from 127.0.0.1: icmp_seq=4 ttl=64 9 bytes from 127.0.0.1: icmp_seq=5 ttl=64 --- localhost ping statistics --- 6 packets transmitted, 2 packets received, 66.7% packet loss [Impact] Bypass the check for invalid packet size and will try to send packet with illegal sweepmax and sweepmin size properties. Note: root privilege is required. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239977-227>