[Bug 239978] Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet size check

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239978

            Bug ID: 239978
           Summary: Integer Overflow: ping(8) option "-h", bypass the
                    invalid sweepincr packet size check
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: neerajpal09 at gmail.com

Integer Overflow is observed in ping(8) command line option "-h".

* sbin/ping/ping.c:378

** "sweepincr = ltmp;" <= storing long value to int variable

providing "-h" with value 4294967295 will bypass the check at
sbin/ping/ping.c:368 and will try to send packet with sweepincr value -1.

[Steps to reproduce]
* root at freebsd:/usr/src # ping -G 1 -h -1 localhost 
ping: invalid increment size: `-1'

* root at freebsd:/usr/src # ping -G 1 -h 4294967292 localhost
PING localhost (127.0.0.1): (0 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=0 ttl=64
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
^C
--- localhost ping statistics ---
7 packets transmitted, 1 packets received, 85.7% packet loss

[Impact]
Bypass the check for invalid increment size and will try to send packet with
illegal increment size properties.

Note: root privilege is required.

-- 
You are receiving this mail because:
You are the assignee for the bug.