Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RHSA-2000:087-02] Potential security problems in ping fixed.

From: Tim Robbins <fyre () BOX3N GUMBYNET ORG>
Date: Sat, 21 Oct 2000 11:44:01 +1100
On Sat, 21 Oct 2000, Vanja Hrustic wrote:

*snip*


[root@prod bin]# ping -c 1 -s 65690 localhost
WARNING: packet size 65690 is too large. Maximum is 65507
Segmentation fault (core dumped)
[root@prod bin]#


The code responsible for this, from iputils-current (snapshot):
if (datalen > 0xFFFF - 8 - optlen - 20) {
        if (uid) {
                fprintf(stderr, "Error: packet size %d is too large. Maximum is %d\n",
                        datalen, 0xFFFF-8-20-optlen);
                exit(2);
        }               
        fprintf(stderr,
                "WARNING: packet size %d is too large. Maximum is %d\n",
                datalen, 0xFFFF-8-20-optlen);   
}

Excuse the bad formatting. I'm not sure why ping allows the superuser to
specify packet sizes larger than allowed by IP, in my opinion this is a
bug. As far as I can tell, a large value for `datalen' causes outpack[] to
overflow. This is not a security problem, simply a programming error. I
suggest removing the "if (uid)" check and exiting regardless of the uid.

Tim
Previous By Date Next
Previous By Thread Next

Current thread: