[Bug 239976] Integer Overflow: ping(8) option "-s", bypass the invalid packet size check

Mon Aug 19 22:59:01 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239976

            Bug ID: 239976
           Summary: Integer Overflow: ping(8) option "-s", bypass the
                    invalid packet size check
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: neerajpal09 at gmail.com

Integer Overflow is observed in ping(8) command line option "-s".

* sbin/ping/ping.c:485

** "datalen = ltmp;" <= storing long value to int value

providing "-s" with value 4294967295 will bypass the check at
sbin/ping/ping.c:475 and will try to send packet with size -1.

[Steps to reproduce]
* root at freebsd:/usr/src/sbin/ping # ping -c 2 -s -1 localhost
ping: invalid packet size: `-1'

* root at freebsd:/usr/src/sbin/ping # ping -c 2 -s 4294967295 localhost
PING localhost (127.0.0.1): -1 data bytes

--- localhost ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

[Impact]
Bypass the check for invalid packet size and will try to send packet with
illegal size properties.

Note: root privilege is required.

-- 
You are receiving this mail because:
You are the assignee for the bug.