HomeFreeBSD
Diffusion FreeBSD src repository 46d7b45a267b

ping: Fix handling of IP packet sizes
46d7b45a267b
Actions

Description

ping: Fix handling of IP packet sizes

Ping reads raw IP packets to parse ICMP responses. When reading the
IP Header Len (IHL) ping was was taking the value from the provided
packet without any validation. This could lead to remotely triggerable
stack corruption.

Validate the IHL against expected and recieved data sizes when reading
from the received packet and when reading any quoted packets from within
the ICMP response.

Approved by: so
Reviewed by: markj, asomers
Security: FreeBSD-SA-22:15.ping
Security: CVE-2022-23093
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #77
Differential Revision: https://reviews.freebsd.org/D37195

Details

Provenance
thjAuthored on Nov 17 2022, 10:31 AM
gordonCommitted on Nov 29 2022, 10:51 PM
Reviewer
markj
Differential Revision
D37195: Remote stack corruption in ping (Embargoed)
Parents
rGa6d40b0ad2c5: libc: remove unneeded sys/types.h include from several synopses
Branches
Unknown
Tags
Unknown
Reverted By
D38431: ping: Reference implementation

Event Timeline

gordon committed rG46d7b45a267b: ping: Fix handling of IP packet sizes (authored by thj).Nov 29 2022, 10:51 PM
gordon added an edge: D37195: Remote stack corruption in ping (Embargoed).Nov 29 2022, 10:55 PM
gordon mentioned this in rG94395be05c14: ping: Fix handling of IP packet sizes.
gordon mentioned this in rG186f495d4be1: ping: Fix handling of IP packet sizes.
gordon mentioned this in rG66c7b53d9516: ping: Fix handling of IP packet sizes.Nov 29 2022, 11:15 PM
gordon mentioned this in rGe0cb8021a8e0: ping: Fix handling of IP packet sizes.
gordon mentioned this in rG1d66ec7d51e9: ping: Fix handling of IP packet sizes.Nov 29 2022, 11:18 PM
jlduran_gmail.com added a reverting change: D38431: ping: Reference implementation.Feb 7 2023, 11:34 PM
jlduran_gmail.com mentioned this in D38470: ping tests: Add tests for IP header options.Feb 9 2023, 8:46 PM
jlduran_gmail.com mentioned this in D38475: ping: Remove vestigial code.Feb 9 2023, 11:16 PM
jlduran_gmail.com mentioned this in D38528: ping: Test IHL/quoted data/inner packet paths.Feb 12 2023, 3:04 AM
jlduran_gmail.com mentioned this in D38593: ping: Fix an unsigned integer overflow (D38470 alternate take).Feb 14 2023, 6:41 PM
cy mentioned this in D38744: ping: Fix integer underflow resuling in a ping -R segfault.Feb 23 2023, 6:50 AM
cy mentioned this in rG70960bb86a3b: ping: Fix unsigned integer underflow resuling in a ping -R segfault.Feb 24 2023, 2:59 PM
cy mentioned this in rG18936d3526f3: ping: Fix unsigned integer underflow resuling in a ping -R segfault.Feb 27 2023, 6:25 PM
cy mentioned this in rG4cafd65c8f1d: ping: Fix unsigned integer underflow resuling in a ping -R segfault.
cy mentioned this in rGed4f9a251868: ping: Fix unsigned integer underflow resuling in a ping -R segfault.Feb 27 2023, 6:47 PM
markj mentioned this in rG1dc1f6bd3138: ping: Remove pr_retip().Mar 19 2023, 4:34 PM
markj mentioned this in rG20012a3a1a04: ping tests: Test IHL/quoted data/inner packet paths.Oct 11 2023, 6:01 PM
markj mentioned this in rGb9e2bb1d6e41: ping tests: Test IHL/quoted data/inner packet paths.Nov 6 2023, 4:47 PM

Changes (1)

PathSize
sbin/
ping/

rG46d7b45a267b

View Options

sbin/ping/ping.c

Loading...