From nobody Fri Feb 24 14:59:29 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PNY2V1jl8z3tZqd;
	Fri, 24 Feb 2023 14:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PNY2V1BgFz4FbD;
	Fri, 24 Feb 2023 14:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1677250770;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KvT1eQopK29DIU0oYl6kXR+nFaLtTDLUnKEtCTaBDuY=;
	b=K8g+9mpXMBOi43qcTiOlIMpTXEQEBfb0x1Iuie9lFPDJDU9UEzpE0Tn+nxPpzAuwGgVHL+
	W9f+ZWFHwThBjgY7edRDgdeLuwjllQCxqo+41WRwZ7WsfgVrd0RK6lrVfvQR9u8soPOuCO
	A6K1qf4t5YunHI9sBXmu5IdC3ziTbSrT36xBAF0FwElhLPNNFXl8hTAK8gc1mxkkMN81k5
	+19yY6JL0omYEchWfceHPQFXTVMnmJTSTIqwKT9EV3OiFgjU0dwMKiVZOAqgNk4ZhY5Qu4
	GzCO4mu3vRDTUYXxpz/RxqZHvjDMd6nOejGoiQ70/DrTGa2qgnH9wUQ+lFtOmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1677250770;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KvT1eQopK29DIU0oYl6kXR+nFaLtTDLUnKEtCTaBDuY=;
	b=xvNEMpkniDI29KMLeuUvDQY8a19+1y2tBW2P/Y4MnK6URb9GJFDv9K3ffIzVjGiXuaBgFK
	38bjJV026NocyTrF8N0ncZO0AAAOXoYyToFJ0H0lL2bIHfA4uhYV6exfXZbRkvHPufe52p
	qME8lbMumC0aTWC5PCXJKLGW3PsulE4tMaJ6TIrQZ3t7rrfabm+1eOA+oVWp9+X9jyDEm3
	k/uH7W/BSFfq5DslhTgURrKMJuuDfpnCo+MBMIra33XG6z4yCFT+nKJ4UzJObhtEjSBtjn
	Sx9K7fH7EEVgh4ack4J7uYSpLdtyxjAw6hilOcGcHeD2UdXs5oy+3sChGI8Csg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677250770; a=rsa-sha256; cv=none;
	b=G4Bv2pD/Rp0nKQhYHsxlsYq7WunyNAAgLLbXwJnpY35dd5cC6Q6Yjn46Rlf8UgNk5ckaJW
	9hYHCc+h2AiJQz2rJdL+b9d83/h2Tlpf1PLeEAZTcvBzQfyd0kTHLZD7jL84js2dH3Tba2
	xAV8v0HvVIzVAt7yEn11FpITVTZipYFlLm5q0TMvtJ4PyJRV3Jjf/Xuveg1/DQaSzwowJP
	JpUL70OZCTQR4eHppEa8KkbO1hcETu42+Jd7jtP3LLk1ZIO+se0nPVqs4QVQTlhpCVVWAf
	E2uEgbndPyt88evAbGXqquES9sev10Y8zQVQACvee6I+MmpAlJg6zsXFQuVcpw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PNY2V0GtBzSCw;
	Fri, 24 Feb 2023 14:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31OExTU3077468;
	Fri, 24 Feb 2023 14:59:29 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31OExTc7077467;
	Fri, 24 Feb 2023 14:59:29 GMT
	(envelope-from git)
Date: Fri, 24 Feb 2023 14:59:29 GMT
Message-Id: <202302241459.31OExTc7077467@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 70960bb86a3b - main - ping: Fix unsigned integer underflow resuling in a ping -R segfault
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 70960bb86a3ba5b6f5c4652e613e6313a7ed1ac1
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=70960bb86a3ba5b6f5c4652e613e6313a7ed1ac1

commit 70960bb86a3ba5b6f5c4652e613e6313a7ed1ac1
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-02-23 05:43:17 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2023-02-24 14:50:53 +0000

    ping: Fix unsigned integer underflow resuling in a ping -R segfault
    
    ping -R (F_RROUTE) will loop at ping.c:1381 until it segfaults or
    the unsigned int hlen happens to be less than the size of an IP header:
    
    slippy$ ping -R 192.168.0.101
    PING 192.168.0.101 (192.168.0.101): 56 data bytes
    64 bytes from 192.168.0.101: icmp_seq=0 ttl=63 time=1.081 ms
    RR:     192.168.0.1
            192.168.0.101
            192.168.0.101
            10.1.1.254
            10.1.1.91
    unknown option bb
    unknown option 32
    unknown option 6
    ...
    unknown option 96
    unknown option 2d
    Segmentation fault
    
    The reason for this is while looping through loose source routing (LSRR)
    and strict source routing (SSRR), hlen will become smaller than the IP
    header. It may even become negative. This should terminate the loop.
    However, when hlen is unsigned, an integer underflow occurs becoming a
    large number causing the loop to continue virtually forever until hlen
    is either by chance smaller than the lenghth of an IP header or it
    segfaults.
    
    Reviewed by:    asomers
    Fixes:          46d7b45a267b
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D38744
---
 sbin/ping/ping.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 6956b9a68ad2..2fc876e50776 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -1150,7 +1150,7 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 	ssize_t icmp_data_raw_len;
 	double triptime;
 	int dupflag, i, j, recv_len;
-	uint8_t hlen;
+	int8_t hlen;
 	uint16_t seq;
 	static int old_rrlen;
 	static char old_rr[MAX_IPOPTLEN];
@@ -1171,7 +1171,7 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 	hlen = (l & 0x0f) << 2;
 
 	/* Reject IP packets with a short header */
-	if (hlen < sizeof(struct ip)) {
+	if (hlen < (int8_t) sizeof(struct ip)) {
 		if (options & F_VERBOSE)
 			warn("IHL too short (%d bytes) from %s", hlen,
 			     inet_ntoa(from->sin_addr));