Date: Sun, 26 Jul 2020 17:25:32 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow) Message-ID: <bug-239975-227-awunaq1J1B@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-239975-227@https.bugs.freebsd.org/bugzilla/> References: <bug-239975-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239975 --- Comment #7 from Neeraj <neerajpal09@gmail.com> --- I have seen that the ping code is modified as compare to the last time when the issue was reported so attaching the modified patch as per the code revision 363556 Index: sbin/ping/ping.c =================================================================== --- sbin/ping/ping.c (revision 363566) +++ sbin/ping/ping.c (working copy) @@ -1066,7 +1066,7 @@ cc = ICMP_MINLEN + phdr_len + datalen; /* compute ICMP checksum here */ - icp.icmp_cksum = in_cksum(outpack, cc); + icp.icmp_cksum = in_cksum(outpack, sizeof(struct icmp), IP_MAXPACKET, cc); /* Update icmp_cksum in the raw packet data buffer. */ memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum, sizeof(icp.icmp_cksum)); @@ -1079,7 +1079,7 @@ /* Update ip_len in the raw packet data buffer. */ memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len, sizeof(ip.ip_len)); - ip.ip_sum = in_cksum(outpackhdr, cc); + ip.ip_sum = in_cksum(outpackhdr, sizeof(struct ip), IP_MAXPACKET, cc); /* Update ip_sum in the raw packet data buffer. */ memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum, sizeof(ip.ip_sum)); Index: sbin/ping/utils.c =================================================================== --- sbin/ping/utils.c (revision 363566) +++ sbin/ping/utils.c (working copy) @@ -55,7 +55,7 @@ * Checksum routine for Internet Protocol family headers (C Version) */ u_short -in_cksum(u_char *addr, int len) +in_cksum(u_char *addr, size_t struct_size, int ip_maxpacket, int len) { int nleft, sum; u_char *w; @@ -74,7 +74,7 @@ * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ - while (nleft > 1) { + while ((nleft > 1) && (w < &addr[ip_maxpacket - struct_size - sizeof(u_short)])) { u_short data; memcpy(&data, w, sizeof(data)); Index: sbin/ping/utils.h =================================================================== --- sbin/ping/utils.h (revision 363566) +++ sbin/ping/utils.h (working copy) @@ -33,6 +33,6 @@ #include <sys/types.h> -u_short in_cksum(u_char *, int); +u_short in_cksum(u_char *, size_t, int, int); #endif -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239975-227-awunaq1J1B>