From nobody Tue Jun 16 17:07:03 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gfth71Z9gz6hTKH
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Tue, 16 Jun 2026 17:07:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gfth70pDQz4LJw
	for <dev-commits-src-main@FreeBSD.org>; Tue, 16 Jun 2026 17:07:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781629623;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WWiA6/uAkqNc/iUWFCOVU/NaJM3al5csOEeUaYfl4rQ=;
	b=G8B1KAfFHlzSYM3KmI3YIdeZOlf6dITDsAOUv8iYF+pYmlzbihjFdSkqb7rUbYOWCsKyK2
	DX2vpB5pxh3Kya5I49OMz+vJFsumRrk6B8cT3WMZJCxVHYhwQRhASazHn7rKQAnnZxJ4iA
	vM4jS0LayXhgYv59oNrtfE4afT7HhsWI/9hEhgM5HG3903W49frIWVh+tXtkSFrJTjJJ5z
	iHjqO6pStSlOwAvVUJN2arWmS1vYG41nbW/QAkdS9fqoPOPif+SO6Ry1gkJNdAb2yYuCFC
	XzgslsF6/nokRTX3ixD9Qlr+SmBvQFHxC3zbL/wAoq4P89ygDK3KtphhwjNl8A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781629623; a=rsa-sha256; cv=none;
	b=R2MejJyMF/APaTI6V7vXxtxpnzfillXmlEXKvdf8ABQT8llSJtECENd0dUjTLwfXAMvdeE
	ncfNkHYK0eEKiuUYw6VrlmCT4TR3EPWNDnJ7z1AKndhFOpkrBMFJldv6byrT/YPPhY/pa0
	63FGuGF59gL7YXzOpQbRHzgMWU37kqrAKpahS0pbtycVsCReMhh1ZWcgbenEO3zGAjeRUE
	iFGpS0cZZ2KHRl0EZ8zUD/fbKV3Ara0Wv0h47OqzwE2W/iAhm8i9W+itZAjYTpMjsX0lFy
	IRD/3OPdqjxUrFcgdmlDwrBZv6e5YWiYVA1+E0ACbG1l+wxL3kZjxhVm+1BpcA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781629623;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WWiA6/uAkqNc/iUWFCOVU/NaJM3al5csOEeUaYfl4rQ=;
	b=ZQrtVr9zPuC2O6BLl2LPQnDVdBiw6hnISKXw0XW8cOH5Ugx7qfQF5RowR7hm9ISC7wFwCz
	et7AAGdrMOIx0oO6YzC124CoqU5/ekMA5PQMJxrXRoCHkwhusQClaD7KOoJ//H6J6gxPdw
	B2ela9k8IF7P31tkMWKjzsVC+ffj2ysu7oGx8XJ31QWvTkqCmbNNdnLWM+J1kDly1BXnJO
	dVAQxRYJfanrY92flfusTcWO2noJwirFqqW8ZBkZOq/bLPmzNJPAV/NAp1+M8AVJS3GVn+
	ZURjZeaOa0vQGj5m2j7WbUa7rojGTagATRJm/dflgQdx8C1WQ+t7Uux2FZk96A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gfth70PyFzZmm
	for <dev-commits-src-main@FreeBSD.org>; Tue, 16 Jun 2026 17:07:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1aa13
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 16 Jun 2026 17:07:03 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Mariusz Zaborski <oshogbo@FreeBSD.org>
Subject: git: e15be258bbf2 - main - ping6: fix outpack overflow in pattern fill loop
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
List-Id: <dev-commits-src-main.FreeBSD.org>
List-Post: <mailto:dev-commits-src-main@FreeBSD.org>
List-Help: <mailto:dev-commits-src-main+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: oshogbo
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e15be258bbf2978dfc62b5483d86c76884eb8576
Auto-Submitted: auto-generated
Date: Tue, 16 Jun 2026 17:07:03 +0000
Message-Id: <6a3182b7.1aa13.55d2ccdb@gitrepo.freebsd.org>

The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=e15be258bbf2978dfc62b5483d86c76884eb8576

commit e15be258bbf2978dfc62b5483d86c76884eb8576
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-06-16 17:02:02 +0000
Commit:     Mariusz Zaborski <oshogbo@FreeBSD.org>
CommitDate: 2026-06-16 17:02:02 +0000

    ping6: fix outpack overflow in pattern fill loop
    
    The fill loop was bounded by packlen, which is sized for the receive
    buffer (datalen + IP6LEN + ICMP6ECHOLEN + EXTRA), not for outpack.
    With large datalen the loop wrote past outpack[MAXPACKETLEN].
    
    Bound it to the actual data area in outpack instead.
    
    Reported by:    Oculytic
    Reviewed by:    des, markj
    Differential Revision:  https://reviews.freebsd.org/D57441
---
 sbin/ping/ping6.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/sbin/ping/ping6.c b/sbin/ping/ping6.c
index b00b00ac8ce1..48f376ac6e5c 100644
--- a/sbin/ping/ping6.c
+++ b/sbin/ping/ping6.c
@@ -238,7 +238,7 @@ static struct iovec smsgiov;
 static char *scmsg = 0;
 
 static cap_channel_t *capdns_setup(void);
-static void	 fill(char *, char *);
+static void	 fill(char *, size_t, char *);
 static int	 get_hoplim(struct msghdr *);
 static int	 get_pathmtu(struct msghdr *);
 static struct in6_pktinfo *get_rcvpktinfo(struct msghdr *);
@@ -273,7 +273,8 @@ ping6(int argc, char *argv[])
 	struct sockaddr_in6 from, *sin6;
 	struct addrinfo hints, *res;
 	struct sigaction si_sa;
-	int cc, i;
+	int cc;
+	size_t i;
 	int almost_done, ch, hold, packlen, preload, optval, error;
 	int nig_oldmcprefix = -1;
 	u_char *datap;
@@ -483,7 +484,8 @@ ping6(int argc, char *argv[])
 			break;
 		case 'p':		/* fill buffer with user pattern */
 			options |= F_PINGFILLED;
-			fill((char *)datap, optarg);
+			fill((char *)datap,
+			    sizeof(outpack) - (datap - outpack), optarg);
 				break;
 		case 'q':
 			options |= F_QUIET;
@@ -762,7 +764,7 @@ ping6(int argc, char *argv[])
 	if (!(packet = (u_char *)malloc((u_int)packlen)))
 		err(1, "Unable to allocate packet");
 	if (!(options & F_PINGFILLED))
-		for (i = ICMP6ECHOLEN; i < packlen; ++i)
+		for (i = (size_t)(datap - outpack); i < sizeof(outpack); ++i)
 			*datap++ = i;
 
 	ident = getpid() & 0xFFFF;
@@ -2631,7 +2633,7 @@ pr_retip(struct ip6_hdr *ip6, u_char *end)
 }
 
 static void
-fill(char *bp, char *patp)
+fill(char *bp, size_t bplen, char *patp)
 {
 	int ii, jj, kk;
 	int pat[16];
@@ -2646,13 +2648,11 @@ fill(char *bp, char *patp)
 	    &pat[7], &pat[8], &pat[9], &pat[10], &pat[11], &pat[12],
 	    &pat[13], &pat[14], &pat[15]);
 
-/* xxx */
-	if (ii > 0)
-		for (kk = 0;
-		    (size_t)kk <= MAXDATALEN - 8 + sizeof(struct tv32) + ii;
-		    kk += ii)
+	if (ii > 0) {
+		for (kk = 0; (size_t)kk + ii <= bplen; kk += ii)
 			for (jj = 0; jj < ii; ++jj)
 				bp[jj + kk] = pat[jj];
+	}
 	if (!(options & F_QUIET)) {
 		(void)printf("PATTERN: 0x");
 		for (jj = 0; jj < ii; ++jj)