oss-sec mailing list archives
iputils ping6 -s buffer overflow
From: Solar Designer <solar () openwall com>
Date: Wed, 27 Jul 2011 03:47:27 +0400
Hi, FWIW, I looked into this issue yesterday: http://www.halfdog.net/Security/2011/Ping6BufferOverflow/ It turns out it's already been patched upstream sometime in 2010, so the fix is included in iputils s20101006, and according to the RELNOTES file s20100418 already had the fix as well: [s20100418] ... ping6: do not allow too large packet size by -s option. ping_common.c: case 's': /* size of packet to send */ datalen = atoi(optarg); if (datalen < 0) { fprintf(stderr, "ping: illegal negative packet size %d.\n", datalen); exit(2); } if (datalen > maxpacket - 8) { fprintf(stderr, "ping: packet size too large: %d\n", datalen); exit(2); } break; I am unhappy that there's no (redundant) bounds checking near the actual array writes, though: if (!(options & F_PINGFILLED)) { int i; u_char *p = outpack+8; /* Do not forget about case of small datalen, * fill timestamp area too! */ for (i = 0; i < datalen; ++i) *p++ = i; } When the bounds check is far from the actual write, the problem is too easy to inadvertently reintroduce in a revision of the code. ...and I do find it somewhat ridiculous that an issue like this was still found in a ping program in 2010. Well, at least both ping and ping6 are smart enough to drop root (if run SUID root and invoked by non-root) right after acquiring the raw socket, before parsing the command-line. So even if the issue were exploitable and ping6 were installed SUID root, the impact would be limited. Alexander
Current thread:
- iputils ping6 -s buffer overflow Solar Designer (Jul 26)