iputils ping6 -s buffer overflow

[Solar Designer <solar () openwall com>]

Hi,

FWIW, I looked into this issue yesterday:

http://www.halfdog.net/Security/2011/Ping6BufferOverflow/

It turns out it's already been patched upstream sometime in 2010, so the
fix is included in iputils s20101006, and according to the RELNOTES file
s20100418 already had the fix as well:

[s20100418]
...
      ping6: do not allow too large packet size by -s option.

ping_common.c:

        case 's':               /* size of packet to send */
                datalen = atoi(optarg);
                if (datalen < 0) {
                        fprintf(stderr, "ping: illegal negative packet size %d.\n", datalen);
                        exit(2);
                }
                if (datalen > maxpacket - 8) {
                        fprintf(stderr, "ping: packet size too large: %d\n",
                                datalen);
                        exit(2);
                }
                break;

I am unhappy that there's no (redundant) bounds checking near the actual
array writes, though:

        if (!(options & F_PINGFILLED)) {
                int i;
                u_char *p = outpack+8;

                /* Do not forget about case of small datalen,
                 * fill timestamp area too!
                 */
                for (i = 0; i < datalen; ++i)
                        *p++ = i;
        }

When the bounds check is far from the actual write, the problem is too
easy to inadvertently reintroduce in a revision of the code.

...and I do find it somewhat ridiculous that an issue like this was
still found in a ping program in 2010.  Well, at least both ping and
ping6 are smart enough to drop root (if run SUID root and invoked by
non-root) right after acquiring the raw socket, before parsing the
command-line.  So even if the issue were exploitable and ping6 were
installed SUID root, the impact would be limited.

Alexander