Date: Mon, 03 Feb 2020 21:13:40 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow) Message-ID: <bug-239975-227-SSy2FilF8o@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-239975-227@https.bugs.freebsd.org/bugzilla/> References: <bug-239975-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239975 --- Comment #4 from Colin Zee <ckyzee@freebsdfoundation.org> --- Comment on attachment 211225 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D211225 Additional patch >diff --git a/sbin/ping/tests/in_cksum_test.c b/sbin/ping/tests/in_cksum_te= st.c >index fc266545b43..d172a4cabc1 100644 >--- a/sbin/ping/tests/in_cksum_test.c >+++ b/sbin/ping/tests/in_cksum_test.c >@@ -1,146 +1,149 @@ > /*- > * SPDX-License-Identifier: BSD-2-Clause-FreeBSD > * > * Copyright (C) 2019 Jan Sucan <jansucan@FreeBSD.org> > * All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions > * are met: > * 1. Redistributions of source code must retain the above copyright > * notice, this list of conditions and the following disclaimer. > * 2. Redistributions in binary form must reproduce the above copyright > * notice, this list of conditions and the following disclaimer in the > * documentation and/or other materials provided with the distribution. > * > * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR= POSE > * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN= TIAL > * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ST= RICT > * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY = WAY > * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > * SUCH DAMAGE. > */ >=20 > #include <sys/cdefs.h> > __FBSDID("$FreeBSD$"); >=20 > #include <sys/param.h> >=20 > #include <atf-c.h> >=20 >+#include <sys/socket.h> >+#include "../../../include/protocols/routed.h" > > #include "../utils.h" >=20 > /* > * Test cases. > */ >=20 > ATF_TC_WITHOUT_HEAD(aligned_even_length_big_endian); > ATF_TC_BODY(aligned_even_length_big_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x12, 0x34, 0x56, 0x78}; > u_short sum; >=20 >- sum =3D in_cksum(data, nitems(data)); >+ sum =3D in_cksum(data, sizeof(struct rip), MAXPACKETSIZE, nitems(data)); > ATF_REQUIRE(sum =3D=3D 0x5397); > } >=20 > ATF_TC_WITHOUT_HEAD(aligned_odd_length_big_endian); > ATF_TC_BODY(aligned_odd_length_big_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x12, 0x34, 0x56, 0x78, 0x9a}; > u_short sum; >=20 >- sum =3D in_cksum(data, nitems(data)); >+ sum =3D in_cksum(data, sizeof(struct rip), MAXPACKETSIZE, nitems(data)); > ATF_REQUIRE(sum =3D=3D 0x52fd); > } >=20 > ATF_TC_WITHOUT_HEAD(aligned_even_length_little_endian); > ATF_TC_BODY(aligned_even_length_little_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x34, 0x12, 0x78, 0x56}; > u_short sum; >=20 >- sum =3D in_cksum(data, nitems(data)); >+ sum =3D in_cksum(data, sizeof(struct rip), MAXPACKETSIZE, nitems(data)); > ATF_REQUIRE_MSG(sum =3D=3D 0x9753, "%d", sum); > } >=20 > ATF_TC_WITHOUT_HEAD(aligned_odd_length_little_endian); > ATF_TC_BODY(aligned_odd_length_little_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x34, 0x12, 0x78, 0x56, 0x00, 0x9a}; > u_short sum; >=20 >- sum =3D in_cksum(data, nitems(data)); >+ sum =3D in_cksum(data, sizeof(struct rip), MAXPACKETSIZE, nitems(data)); > ATF_REQUIRE(sum =3D=3D 0xfd52); > } >=20 > ATF_TC_WITHOUT_HEAD(unaligned_even_length_big_endian); > ATF_TC_BODY(unaligned_even_length_big_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x00, 0x12, 0x34, 0x56, 0x78}; > u_short sum; >=20 >- sum =3D in_cksum(data + 1, nitems(data) - 1); >+ sum =3D in_cksum(data + 1, sizeof(struct rip), MAXPACKETSIZE, nitems(dat= a) - 1); > ATF_REQUIRE(sum =3D=3D 0x5397); > } >=20 > ATF_TC_WITHOUT_HEAD(unaligned_odd_length_big_endian); > ATF_TC_BODY(unaligned_odd_length_big_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x00, 0x12, 0x34, 0x56, 0x78, 0x9a}; > u_short sum; >=20 >- sum =3D in_cksum(data + 1, nitems(data) - 1); >+ sum =3D in_cksum(data + 1, sizeof(struct rip), MAXPACKETSIZE, nitems(dat= a) - 1); > ATF_REQUIRE(sum =3D=3D 0x52fd); > } >=20 > ATF_TC_WITHOUT_HEAD(unaligned_even_length_little_endian); > ATF_TC_BODY(unaligned_even_length_little_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x00, 0x34, 0x12, 0x78, 0x56}; > u_short sum; >=20 >- sum =3D in_cksum(data + 1, nitems(data) - 1); >+ sum =3D in_cksum(data + 1, sizeof(struct rip), MAXPACKETSIZE, nitems(dat= a) - 1); > ATF_REQUIRE_MSG(sum =3D=3D 0x9753, "%d", sum); > } >=20 > ATF_TC_WITHOUT_HEAD(unaligned_odd_length_little_endian); > ATF_TC_BODY(unaligned_odd_length_little_endian, tc) > { > u_char data[] __aligned(sizeof(u_short)) =3D > {0x00, 0x34, 0x12, 0x78, 0x56, 0x00, 0x9a}; > u_short sum; >=20 >- sum =3D in_cksum(data + 1, nitems(data) - 1); >+ sum =3D in_cksum(data + 1, sizeof(struct rip), MAXPACKETSIZE, nitems(dat= a) - 1); > ATF_REQUIRE(sum =3D=3D 0xfd52); > } >=20 > /* > * Main. > */ >=20 > ATF_TP_ADD_TCS(tp) > { > ATF_TP_ADD_TC(tp, aligned_even_length_big_endian); > ATF_TP_ADD_TC(tp, aligned_odd_length_big_endian); > ATF_TP_ADD_TC(tp, aligned_even_length_little_endian); > ATF_TP_ADD_TC(tp, aligned_odd_length_little_endian); > ATF_TP_ADD_TC(tp, unaligned_even_length_big_endian); > ATF_TP_ADD_TC(tp, unaligned_odd_length_big_endian); > ATF_TP_ADD_TC(tp, unaligned_even_length_little_endian); > ATF_TP_ADD_TC(tp, unaligned_odd_length_little_endian); >=20 > return (atf_no_error()); > } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239975-227-SSy2FilF8o>