[Bug 239976] Integer Overflow: ping(8) option "-s", bypass the invalid packet size check
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 19 22:59:01 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239976
Bug ID: 239976
Summary: Integer Overflow: ping(8) option "-s", bypass the
invalid packet size check
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: neerajpal09 at gmail.com
Integer Overflow is observed in ping(8) command line option "-s".
* sbin/ping/ping.c:485
** "datalen = ltmp;" <= storing long value to int value
providing "-s" with value 4294967295 will bypass the check at
sbin/ping/ping.c:475 and will try to send packet with size -1.
[Steps to reproduce]
* root at freebsd:/usr/src/sbin/ping # ping -c 2 -s -1 localhost
ping: invalid packet size: `-1'
* root at freebsd:/usr/src/sbin/ping # ping -c 2 -s 4294967295 localhost
PING localhost (127.0.0.1): -1 data bytes
--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
[Impact]
Bypass the check for invalid packet size and will try to send packet with
illegal size properties.
Note: root privilege is required.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list