[Bug 239978] Integer Overflow: ping(8) option "-h", bypass the invalid sweepincr packet size check
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 19 23:09:26 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239978
Bug ID: 239978
Summary: Integer Overflow: ping(8) option "-h", bypass the
invalid sweepincr packet size check
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: neerajpal09 at gmail.com
Integer Overflow is observed in ping(8) command line option "-h".
* sbin/ping/ping.c:378
** "sweepincr = ltmp;" <= storing long value to int variable
providing "-h" with value 4294967295 will bypass the check at
sbin/ping/ping.c:368 and will try to send packet with sweepincr value -1.
[Steps to reproduce]
* root at freebsd:/usr/src # ping -G 1 -h -1 localhost
ping: invalid increment size: `-1'
* root at freebsd:/usr/src # ping -G 1 -h 4294967292 localhost
PING localhost (127.0.0.1): (0 ... 1) data bytes
8 bytes from 127.0.0.1: icmp_seq=0 ttl=64
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
^C
--- localhost ping statistics ---
7 packets transmitted, 1 packets received, 85.7% packet loss
[Impact]
Bypass the check for invalid increment size and will try to send packet with
illegal increment size properties.
Note: root privilege is required.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list