Date: Mon, 19 Aug 2019 23:09:25 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239978] Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet size check Message-ID: <bug-239978-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239978 Bug ID: 239978 Summary: Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet size check Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com Integer Overflow is observed in ping(8) command line option "-h". * sbin/ping/ping.c:378 ** "sweepincr = ltmp;" <= storing long value to int variable providing "-h" with value 4294967295 will bypass the check at sbin/ping/ping.c:368 and will try to send packet with sweepincr value -1. [Steps to reproduce] * root@freebsd:/usr/src # ping -G 1 -h -1 localhost ping: invalid increment size: `-1' * root@freebsd:/usr/src # ping -G 1 -h 4294967292 localhost PING localhost (127.0.0.1): (0 ... 1) data bytes 8 bytes from 127.0.0.1: icmp_seq=0 ttl=64 ping: sendto: Invalid argument ping: sendto: Invalid argument ping: sendto: Invalid argument ping: sendto: Invalid argument ^C --- localhost ping statistics --- 7 packets transmitted, 1 packets received, 85.7% packet loss [Impact] Bypass the check for invalid increment size and will try to send packet with illegal increment size properties. Note: root privilege is required. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239978-227>