CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Cy Schubert <cy@FreeBSD.org>
	Thu, 23 Feb 2023 05:43:17 +0000 (21:43 -0800)
committer	Cy Schubert <cy@FreeBSD.org>
	Mon, 27 Feb 2023 18:46:42 +0000 (10:46 -0800)
commit	ed4f9a251868149dd738640568b2fc48338b39e1
tree	37b4966fd0d973031a746f697f65fc70500f90df	tree \| snapshot
parent	08627f81cde12f5deb282993416ec1923da887b3	commit \| diff

ping: Fix unsigned integer underflow resuling in a ping -R segfault

ping -R (F_RROUTE) will loop at ping.c:1381 until it segfaults or
the unsigned int hlen happens to be less than the size of an IP header:

slippy$ ping -R 192.168.0.101
PING 192.168.0.101 (192.168.0.101): 56 data bytes
64 bytes from 192.168.0.101: icmp_seq=0 ttl=63 time=1.081 ms
RR: 192.168.0.1
192.168.0.101
192.168.0.101
10.1.1.254
10.1.1.91
unknown option bb
unknown option 32
unknown option 6
...
unknown option 96
unknown option 2d
Segmentation fault

The reason for this is while looping through loose source routing (LSRR)
and strict source routing (SSRR), hlen will become smaller than the IP
header. It may even become negative. This should terminate the loop.
However, when hlen is unsigned, an integer underflow occurs becoming a
large number causing the loop to continue virtually forever until hlen
is either by chance smaller than the lenghth of an IP header or it
segfaults.

Approved by: re (cperciva)
Reviewed by: asomers
Fixes: 46d7b45a267b
Differential Revision: https://reviews.freebsd.org/D38744

(cherry picked from commit 70960bb86a3ba5b6f5c4652e613e6313a7ed1ac1)
(cherry picked from commit 18936d3526f3090e4164b8155762bf5bd54038a8)