From owner-freebsd-bugs@FreeBSD.ORG Sun Apr 13 11:30:12 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C4DA37B404 for ; Sun, 13 Apr 2003 11:30:12 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CABB43FB1 for ; Sun, 13 Apr 2003 11:30:10 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3DIUAUp074633 for ; Sun, 13 Apr 2003 11:30:10 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3DIUABN074632; Sun, 13 Apr 2003 11:30:10 -0700 (PDT) Resent-Date: Sun, 13 Apr 2003 11:30:10 -0700 (PDT) Resent-Message-Id: <200304131830.h3DIUABN074632@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, User & Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D422E37B401 for ; Sun, 13 Apr 2003 11:20:40 -0700 (PDT) Received: from lab.databus.com (p72-186.acedsl.com [66.114.72.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1649F43F75 for ; Sun, 13 Apr 2003 11:20:40 -0700 (PDT) (envelope-from barney@lab.databus.com) Received: from lab.databus.com (localhost [127.0.0.1]) by lab.databus.com (8.12.9/8.12.9) with ESMTP id h3DIKdnO039110 for ; Sun, 13 Apr 2003 14:20:39 -0400 (EDT) (envelope-from barney@lab.databus.com) Received: (from barney@localhost) by lab.databus.com (8.12.9/8.12.9/Submit) id h3DIKdhv039109; Sun, 13 Apr 2003 14:20:39 -0400 (EDT) Message-Id: <200304131820.h3DIKdhv039109@lab.databus.com> Date: Sun, 13 Apr 2003 14:20:39 -0400 (EDT) From: User & To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/50909: ping checks too much data in return packet X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: User & List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 18:30:12 -0000 >Number: 50909 >Category: bin >Synopsis: ping checks too much data in return packet >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 13 11:30:10 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Barney Wolff >Release: FreeBSD 5.0-CURRENT i386 >Organization: Databus Inc. >Environment: System: FreeBSD lab.databus.com 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Fri Apr 11 18:00:56 EDT 2003 toor@lab.databus.com:/usr/obj/usr/src/sys/LAB i386 >Description: ping checks the data in the returned packet, expecting it to be equal to the data in the packet sent. But it starts the check too early, checking the timestamp. If the returned packet comes back after the next packet has already been sent (ie, in the default case, after 1 sec) the check will fail. ping should check only the constant data, which starts after the timestamp. I'd also point out that the cc != 0 check is bad style, if probably not dangerous in this case. cc > 0 protects against off-by-one errors. cc-- is also bad style. >How-To-Repeat: ping anywhere with rtt over 1 sec. >Fix: Index: ping.c =================================================================== RCS file: /home/ncvs/src/sbin/ping/ping.c,v retrieving revision 1.95 diff -u -r1.95 ping.c --- ping.c 7 Apr 2003 12:05:50 -0000 1.95 +++ ping.c 13 Apr 2003 18:07:02 -0000 @@ -1012,8 +1012,14 @@ cp = (u_char*)&icp->icmp_data[phdr_len]; dp = &outpack[MINICMPLEN + phdr_len]; cc -= ICMP_MINLEN + phdr_len; - for (i = phdr_len; i < datalen && cc != 0; - ++i, ++cp, ++dp, cc--) { + i = phdr_len; + if (timing) { /* don't check variable timestamp */ + cp += TIMEVAL_LEN; + dp += TIMEVAL_LEN; + cc -= TIMEVAL_LEN; + i += TIMEVAL_LEN; + } + for ( ; i < datalen && cc > 0; ++i, ++cp, ++dp, --cc) { if (*cp != *dp) { (void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x", i, *dp, *cp); >Release-Note: >Audit-Trail: >Unformatted: