From c03e877a887f9e12779bdb38f48f5e691ba3a85b Mon Sep 17 00:00:00 2001 From: Warner Losh Date: Wed, 1 Apr 1998 00:32:18 +0000 Subject: [PATCH] A fairly rare possible buffer overflow: Theo fixed this and tqbf reported it Obtained from: OpenBSD --- sbin/ping/ping.8 | 5 ++++- sbin/ping/ping.c | 17 +++++++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/sbin/ping/ping.8 b/sbin/ping/ping.8 index befbef0b18d5..76bb0908f6aa 100644 --- a/sbin/ping/ping.8 +++ b/sbin/ping/ping.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" @(#)ping.8 8.2 (Berkeley) 12/11/93 -.\" $Id: ping.8,v 1.12 1997/07/18 17:52:03 wollman Exp $ +.\" $Id: ping.8,v 1.13 1998/03/19 07:45:57 charnier Exp $ .\" .Dd March 1, 1997 .Dt PING 8 @@ -173,6 +173,9 @@ the .Xr traceroute 8 command is usually better at determining the route packets take to a particular destination. +If more routes come back than should, such as due to an illegal spoofed +packet, ping will print the route list and then truncate it at the correct +spot. Many hosts ignore or discard the .Tn RECORD_ROUTE option. diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c index f98123d92559..c1f558e2aae3 100644 --- a/sbin/ping/ping.c +++ b/sbin/ping/ping.c @@ -45,7 +45,7 @@ static const char copyright[] = static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93"; */ static const char rcsid[] = - "$Id: ping.c,v 1.28 1997/08/11 04:33:07 fenner Exp $"; + "$Id: ping.c,v 1.29 1997/12/24 00:59:02 imp Exp $"; #endif /* not lint */ /* @@ -261,7 +261,6 @@ main(argc, argv) errno = EPERM; err(EX_NOPERM, "-l flag"); } - options |= F_FLOOD; preload = ultmp; break; case 'L': @@ -787,9 +786,14 @@ pr_pack(buf, cc, from) cp += i; break; } - old_rrlen = i; - bcopy((char *)cp, old_rr, i); + if (i < MAXIPOPTLEN) { + old_rrlen = i; + bcopy((char *)cp, old_rr, i); + } else + old_rrlen = 0; + (void)printf("\nRR: "); + j = 0; for (;;) { l = *++cp; l = (l<<8) + *++cp; @@ -804,8 +808,13 @@ pr_pack(buf, cc, from) } hlen -= 4; i -= 4; + j += 4; if (i <= 0) break; + if (j >= MAX_IPOPTLEN) { + (void) printf("\t(truncated route)"); + break; + } (void)putchar('\n'); } break;