[17298] in bugtraq
Re: [RHSA-2000:087-02] Potential security problems in ping fixed.
daemon@ATHENA.MIT.EDU (Tim Robbins)
Mon Oct 23 13:41:41 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0010211134400.12344-100000@box3n.gumbynet.org>
Date: Sat, 21 Oct 2000 11:44:01 +1100
Reply-To: Tim Robbins <fyre@BOX3N.GUMBYNET.ORG>
From: Tim Robbins <fyre@BOX3N.GUMBYNET.ORG>
X-To: Vanja Hrustic <vanja@RELAYGROUP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10010210003230.2791-100000@emx.siamrelay.com>
On Sat, 21 Oct 2000, Vanja Hrustic wrote:
*snip*
> [root@prod bin]# ping -c 1 -s 65690 localhost
> WARNING: packet size 65690 is too large. Maximum is 65507
> Segmentation fault (core dumped)
> [root@prod bin]#
The code responsible for this, from iputils-current (snapshot):
if (datalen > 0xFFFF - 8 - optlen - 20) {
if (uid) {
fprintf(stderr, "Error: packet size %d is too large. Maximum is %d\n",
datalen, 0xFFFF-8-20-optlen);
exit(2);
}
fprintf(stderr,
"WARNING: packet size %d is too large. Maximum is %d\n",
datalen, 0xFFFF-8-20-optlen);
}
Excuse the bad formatting. I'm not sure why ping allows the superuser to
specify packet sizes larger than allowed by IP, in my opinion this is a
bug. As far as I can tell, a large value for `datalen' causes outpack[] to
overflow. This is not a security problem, simply a programming error. I
suggest removing the "if (uid)" check and exiting regardless of the uid.
Tim
