Date: Sun, 26 Jul 2020 17:25:32 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow) Message-ID: <bug-239975-227-awunaq1J1B@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-239975-227@https.bugs.freebsd.org/bugzilla/> References: <bug-239975-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239975 --- Comment #7 from Neeraj <neerajpal09@gmail.com> --- I have seen that the ping code is modified as compare to the last time when= the issue was reported so attaching the modified patch as per the code revision 363556 Index: sbin/ping/ping.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sbin/ping/ping.c (revision 363566) +++ sbin/ping/ping.c (working copy) @@ -1066,7 +1066,7 @@ cc =3D ICMP_MINLEN + phdr_len + datalen; /* compute ICMP checksum here */ - icp.icmp_cksum =3D in_cksum(outpack, cc); + icp.icmp_cksum =3D in_cksum(outpack, sizeof(struct icmp), IP_MAXPAC= KET, cc); /* Update icmp_cksum in the raw packet data buffer. */ memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum, sizeof(icp.icmp_cksum)); @@ -1079,7 +1079,7 @@ /* Update ip_len in the raw packet data buffer. */ memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len, sizeof(ip.ip_len)); - ip.ip_sum =3D in_cksum(outpackhdr, cc); + ip.ip_sum =3D in_cksum(outpackhdr, sizeof(struct ip), IP_MAXPACKET, cc); /* Update ip_sum in the raw packet data buffer. */ memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum, sizeof(ip.ip_sum)); Index: sbin/ping/utils.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sbin/ping/utils.c (revision 363566) +++ sbin/ping/utils.c (working copy) @@ -55,7 +55,7 @@ * Checksum routine for Internet Protocol family headers (C Version) */ u_short -in_cksum(u_char *addr, int len) +in_cksum(u_char *addr, size_t struct_size, int ip_maxpacket, int len) { int nleft, sum; u_char *w; @@ -74,7 +74,7 @@ * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ - while (nleft > 1) { + while ((nleft > 1) && (w < &addr[ip_maxpacket - struct_size - sizeof(u_short)])) { u_short data; memcpy(&data, w, sizeof(data)); Index: sbin/ping/utils.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sbin/ping/utils.h (revision 363566) +++ sbin/ping/utils.h (working copy) @@ -33,6 +33,6 @@ #include <sys/types.h> -u_short in_cksum(u_char *, int); +u_short in_cksum(u_char *, size_t, int, int); #endif --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239975-227-awunaq1J1B>