OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [RHSA-2000:087-02] Potential security problems in ping fixed.
From: Tim Robbins (fyreBOX3N.GUMBYNET.ORG)
Date: Fri Oct 20 2000 - 19:44:01 CDT

On Sat, 21 Oct 2000, Vanja Hrustic wrote:

*snip*

> [rootprod bin]# ping -c 1 -s 65690 localhost
> WARNING: packet size 65690 is too large. Maximum is 65507
> Segmentation fault (core dumped)
> [rootprod bin]#

The code responsible for this, from iputils-current (snapshot):
if (datalen > 0xFFFF - 8 - optlen - 20) {
        if (uid) {
                fprintf(stderr, "Error: packet size %d is too large. Maximum is %d\n",
                        datalen, 0xFFFF-8-20-optlen);
                exit(2);
        }
        fprintf(stderr,
                "WARNING: packet size %d is too large. Maximum is %d\n",
                datalen, 0xFFFF-8-20-optlen);
}

Excuse the bad formatting. I'm not sure why ping allows the superuser to
specify packet sizes larger than allowed by IP, in my opinion this is a
bug. As far as I can tell, a large value for `datalen' causes outpack[] to
overflow. This is not a security problem, simply a programming error. I
suggest removing the "if (uid)" check and exiting regardless of the uid.

Tim