[Bug 239975] ping(8) crashes with SIGSEGV - Out-of-Bounds Read of size 2 (global-buffer-overflow)

Sun Jul 26 17:25:33 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239975

--- Comment #7 from Neeraj <neerajpal09 at gmail.com> ---
I have seen that the ping code is modified as compare to the last time when the
issue was reported so attaching the modified patch as per the code revision
363556

Index: sbin/ping/ping.c
===================================================================
--- sbin/ping/ping.c    (revision 363566)
+++ sbin/ping/ping.c    (working copy)
@@ -1066,7 +1066,7 @@
        cc = ICMP_MINLEN + phdr_len + datalen;

        /* compute ICMP checksum here */
-       icp.icmp_cksum = in_cksum(outpack, cc);
+       icp.icmp_cksum = in_cksum(outpack, sizeof(struct icmp), IP_MAXPACKET,
cc);
        /* Update icmp_cksum in the raw packet data buffer. */
        memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum,
            sizeof(icp.icmp_cksum));
@@ -1079,7 +1079,7 @@
                /* Update ip_len in the raw packet data buffer. */
                memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len,
                    sizeof(ip.ip_len));
-               ip.ip_sum = in_cksum(outpackhdr, cc);
+               ip.ip_sum = in_cksum(outpackhdr, sizeof(struct ip),
IP_MAXPACKET, cc);
                /* Update ip_sum in the raw packet data buffer. */
                memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum,
                    sizeof(ip.ip_sum));
Index: sbin/ping/utils.c
===================================================================
--- sbin/ping/utils.c   (revision 363566)
+++ sbin/ping/utils.c   (working copy)
@@ -55,7 +55,7 @@
  *     Checksum routine for Internet Protocol family headers (C Version)
  */
 u_short
-in_cksum(u_char *addr, int len)
+in_cksum(u_char *addr, size_t struct_size, int ip_maxpacket,  int len)
 {
        int nleft, sum;
        u_char *w;
@@ -74,7 +74,7 @@
         * sequential 16 bit words to it, and at the end, fold back all the
         * carry bits from the top 16 bits into the lower 16 bits.
         */
-       while (nleft > 1)  {
+       while ((nleft > 1) && (w < &addr[ip_maxpacket - struct_size -
sizeof(u_short)])) {
                u_short data;

                memcpy(&data, w, sizeof(data));
Index: sbin/ping/utils.h
===================================================================
--- sbin/ping/utils.h   (revision 363566)
+++ sbin/ping/utils.h   (working copy)
@@ -33,6 +33,6 @@

 #include <sys/types.h>

-u_short in_cksum(u_char *, int);
+u_short in_cksum(u_char *, size_t, int, int);

 #endif

-- 
You are receiving this mail because:
You are the assignee for the bug.
