From nobody Mon Feb 27 18:27:07 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQTVh0hcXz3vS82; Mon, 27 Feb 2023 18:27:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PQTVh09S6z41WG; Mon, 27 Feb 2023 18:27:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677522428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QjNRM22LhgUguMenChncM8BKzSZg0IHVKpa2B5rftgM=; b=QbzHZz+X+vmQ0gv9lg/V6vg9lOcdrHpGba/G2j2Bwpfjc9QhrZM3ERRbZtlHRNMZCt2teF 0X5cusIY39Nmz3aCdldBaWC/Fs3bFK+FlCPrOD0UqnvLYtUarKiJ5ldZgCGKrdKHxUpdEX +ujGf0OzkbsYXqMjamThHpO9vA4IF1CZ7Rzi1J07sJsw77sebtubOkfucn/ftWc+2DjScS fTNaLy9OTcpifL+3OkbJqPKqtyl6BssH/A0ygRC3ubpUY6fcEkx1eGZzromI5Yv8oJq5wv SOVgstPy35+S1kVVPOrnkSplnrNCio16oRbkuZZrvkE7eFYtrvNDSApRfFwdoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677522428; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QjNRM22LhgUguMenChncM8BKzSZg0IHVKpa2B5rftgM=; b=RieYPW1mgM/3c9AgTRgKkHV/1zu4HLbMvUT23J8bzI0VlmqZhlS5TqB7xBht28A+EwRN/k mdB3a7snAnq9JwRZHfAtYfcVpCvFAjBvwKVu1XGljhjDEJmcuFEhkcGuXCGqgWTp1PTUWP iuo14QstWufPi6z12yzE8Y/mPdox4tlmbz8ocLF8grybSZjrNusQe/NpR9zQTX2D6ZTh9q okme+k14rNwgK4RzyWzLhEjIEdOXyLONqGrfNDZljGuMGJ0q+jJ1XRJu9P1ZnZJlbG86m/ +lIlmVXUNUEd1iF6IMkm75vtqwKkereLOTVi5dq7AWR0onggoOBFLkKaDslskQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677522428; a=rsa-sha256; cv=none; b=eyJqshWZdJOHX5jRcen0/H60TKO5trmaBz7NAjL7n+J2TBFb6fbg8icPxmrtwxGJLrbsIG 4Ea0eXb6+QQsKUvKqGkf/8hQQF5BChCZsanO8GkWwP0NIB3NuV3xyKExL/2GIwei99vexc rrgkjNjZEKqtB2oQ3LUwutNnKFmieKJ0aV/ktzZhq2tPCxbpru+8Fjne0w6L1tpzcyipbU KiR2wcEu2BntvRObpQHtKNEIQBfuzL7qAfj+gptxsr0y0H1m5f0aU1fg7bLJg4LoA5sDhs mg8EuqMfKN9WSlZy91KLj39xCSX/Cns4SMqC82MIv7x5m4qOErrgpZoXZC3sjw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PQTVg6L9zzbwp; Mon, 27 Feb 2023 18:27:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31RIR7YC050625; Mon, 27 Feb 2023 18:27:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31RIR7hX050624; Mon, 27 Feb 2023 18:27:07 GMT (envelope-from git) Date: Mon, 27 Feb 2023 18:27:07 GMT Message-Id: <202302271827.31RIR7hX050624@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 4cafd65c8f1d - stable/12 - ping: Fix unsigned integer underflow resuling in a ping -R segfault List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 4cafd65c8f1d3adfa6ff80db3ef9f58c75d7d14c Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=4cafd65c8f1d3adfa6ff80db3ef9f58c75d7d14c commit 4cafd65c8f1d3adfa6ff80db3ef9f58c75d7d14c Author: Cy Schubert AuthorDate: 2023-02-23 05:43:17 +0000 Commit: Cy Schubert CommitDate: 2023-02-27 04:32:59 +0000 ping: Fix unsigned integer underflow resuling in a ping -R segfault ping -R (F_RROUTE) will loop at ping.c:1381 until it segfaults or the unsigned int hlen happens to be less than the size of an IP header: slippy$ ping -R 192.168.0.101 PING 192.168.0.101 (192.168.0.101): 56 data bytes 64 bytes from 192.168.0.101: icmp_seq=0 ttl=63 time=1.081 ms RR: 192.168.0.1 192.168.0.101 192.168.0.101 10.1.1.254 10.1.1.91 unknown option bb unknown option 32 unknown option 6 ... unknown option 96 unknown option 2d Segmentation fault The reason for this is while looping through loose source routing (LSRR) and strict source routing (SSRR), hlen will become smaller than the IP header. It may even become negative. This should terminate the loop. However, when hlen is unsigned, an integer underflow occurs becoming a large number causing the loop to continue virtually forever until hlen is either by chance smaller than the lenghth of an IP header or it segfaults. Reviewed by: asomers Fixes: 46d7b45a267b Differential Revision: https://reviews.freebsd.org/D38744 (cherry picked from commit 70960bb86a3ba5b6f5c4652e613e6313a7ed1ac1) --- sbin/ping/ping.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index eda8bfbd35ea..a0eb570e6f0c 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -1134,7 +1134,7 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv) ssize_t icmp_data_raw_len; double triptime; int dupflag, i, j, recv_len; - uint8_t hlen; + int8_t hlen; uint16_t seq; static int old_rrlen; static char old_rr[MAX_IPOPTLEN]; @@ -1155,7 +1155,7 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv) hlen = (l & 0x0f) << 2; /* Reject IP packets with a short header */ - if (hlen < sizeof(struct ip)) { + if (hlen < (int8_t) sizeof(struct ip)) { if (options & F_VERBOSE) warn("IHL too short (%d bytes) from %s", hlen, inet_ntoa(from->sin_addr));