Date: Tue, 8 May 2001 03:24:33 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: ping security fixes Message-ID: <20010508032432.A91836@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
This patch is taken from OpenBSD. I don't know if the IP option stuff
is exploitable in theory -- we merged some option-parsing fixes a few
years ago, but missed the rest which were committed to OpenBSD a few
weeks later. The other buffer sizing issue doesn't seem to be
exploitable on FreeBSD for two reasons:
a) The receive buffer size is artificially limited to 48K
b) The send buffer size is not resized from the default value, and
ping limits the length of ICMP_ECHOREPLY packets it reads to 112 bytes
longer than the packet it sent out (I don't know if this is a bug or
not).
OpenBSD had removed both of these limitations which allowed them to
overflow that buffer by 68 bytes or so; even then I couldn't get it to
do anything nasty because of where the buffer sits in memory. Anyway.
Kris
Index: ping.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/sbin/ping/ping.c,v
retrieving revision 1.55
diff -u -r1.55 ping.c
--- ping.c 2001/03/09 13:20:23 1.55
+++ ping.c 2001/05/08 10:18:22
@@ -102,7 +102,7 @@
/* runs out of buffer space */
#define MAXIPLEN 60
#define MAXICMPLEN 76
-#define MAXPACKET (65536 - 60 - 8)/* max packet size */
+#define MAXPAYLOAD (IP_MAXPACKET - MAXIPLEN - 8) /* max ICMP payload size =
*/
#define MAXWAIT 10 /* max seconds to wait for response */
#define MAXALARM (60 * 60) /* max seconds for alarm timeout */
#define NROUTES 9 /* number of record route slots */
@@ -148,7 +148,7 @@
struct sockaddr whereto; /* who to ping */
int datalen =3D DEFDATALEN;
int s; /* socket file descriptor */
-u_char outpack[MAXPACKET];
+u_char outpack[IP_MAXPACKET]; /* Max packet size =3D 65535 */
char BSPACE =3D '\b'; /* characters written for flood */
char DOT =3D '.';
char *hostname;
@@ -341,7 +341,7 @@
err(EX_NOPERM, "-s flag");
}
ultmp =3D strtoul(optarg, &ep, 0);
- if (ultmp > MAXPACKET)
+ if (ultmp > MAXPAYLOAD)
errx(EX_USAGE, "packet size too large: %lu",
ultmp);
if (*ep || ep =3D=3D optarg || !ultmp)
@@ -785,7 +785,7 @@
register struct icmp *icp;
register u_long l;
register int i, j;
- register u_char *cp,*dp;
+ register u_char *cp, *dp;
static int old_rrlen;
static char old_rr[MAX_IPOPTLEN];
struct ip *ip;
@@ -926,7 +926,8 @@
hlen -=3D 2;
j =3D *++cp;
++cp;
- if (j > IPOPT_MINOFF)
+ i =3D 0;
+ if (j > IPOPT_MINOFF) {
for (;;) {
l =3D *++cp;
l =3D (l<<8) + *++cp;
@@ -939,11 +940,18 @@
ina.s_addr =3D ntohl(l);
printf("\t%s", pr_addr(ina));
}
- hlen -=3D 4;
- j -=3D 4;
- if (j <=3D IPOPT_MINOFF)
- break;
- (void)putchar('\n');
+ hlen -=3D 4;
+ j -=3D 4;
+ i +=3D 4;
+ if (j <=3D IPOPT_MINOFF)
+ break;
+ if (i >=3D MAX_IPOPTLEN) {
+ (void)printf("\t(truncated route)");
+ break;
+ }
+ (void)putchar('\n');
+ }
+ =09
}
break;
case IPOPT_RR:
@@ -1002,6 +1010,8 @@
break;
default:
(void)printf("\nunknown option %x", *cp);
+ hlen =3D hlen + cp[1] - 1;
+ cp =3D cp + cp[1] - 1;
break;
}
if (!(options & F_FLOOD)) {
@@ -1402,7 +1412,7 @@
=20
if (ii > 0)
for (kk =3D 0;
- kk <=3D MAXPACKET - (8 + PHDR_LEN + ii);
+ kk <=3D MAXPAYLOAD - (8 + PHDR_LEN + ii);
kk +=3D ii)
for (jj =3D 0; jj < ii; ++jj)
bp[jj + kk] =3D pat[jj];
--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE698lfWry0BWjoQKURAkc0AJ99zBCatUjGzBdTdrpvG3uuEfYuIgCgquRP
GntaGMNMgXYgF19c1PX/v1g=
=jH05
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD0i+--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010508032432.A91836>