[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110726234727.GA28271@openwall.com>
Date: Wed, 27 Jul 2011 03:47:27 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: iputils ping6 -s buffer overflow
Hi,
FWIW, I looked into this issue yesterday:
http://www.halfdog.net/Security/2011/Ping6BufferOverflow/
It turns out it's already been patched upstream sometime in 2010, so the
fix is included in iputils s20101006, and according to the RELNOTES file
s20100418 already had the fix as well:
[s20100418]
...
ping6: do not allow too large packet size by -s option.
ping_common.c:
case 's': /* size of packet to send */
datalen = atoi(optarg);
if (datalen < 0) {
fprintf(stderr, "ping: illegal negative packet size %d.\n", datalen);
exit(2);
}
if (datalen > maxpacket - 8) {
fprintf(stderr, "ping: packet size too large: %d\n",
datalen);
exit(2);
}
break;
I am unhappy that there's no (redundant) bounds checking near the actual
array writes, though:
if (!(options & F_PINGFILLED)) {
int i;
u_char *p = outpack+8;
/* Do not forget about case of small datalen,
* fill timestamp area too!
*/
for (i = 0; i < datalen; ++i)
*p++ = i;
}
When the bounds check is far from the actual write, the problem is too
easy to inadvertently reintroduce in a revision of the code.
...and I do find it somewhat ridiculous that an issue like this was
still found in a ping program in 2010. Well, at least both ping and
ping6 are smart enough to drop root (if run SUID root and invoked by
non-root) right after acquiring the raw socket, before parsing the
command-line. So even if the issue were exploitable and ping6 were
installed SUID root, the impact would be limited.
Alexander
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
