Bug 16677
Summary: | "ping -c 1 -s 65690 localhost" segfaults | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Daniel Roesen <dr> |
Component: | iputils | Assignee: | Crutcher Dunnavant <crutcher> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.2 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-10-18 14:44:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Roesen
2000-08-21 13:54:07 UTC
The code path problem is explicitly on the root execution path: if (datalen > 0xFFFF - 8 - optlen - 20) { if (uid) { fprintf(stderr, "Error: packet size %d is too large. Ma\ximum is %d\n", datalen, 0xFFFF-8-20-optlen); exit(1); } fprintf(stderr, "WARNING: packet size %d is too large. Maximum \is %d\n", datalen, 0xFFFF-8-20-optlen); } Note that if !uid (running as root), we don't exit. Now, the problem is that the outgoing packet buffer is an array on the stack. We overflow this buffer with such a large packet size. This path is not exploitable as you have to be root to experience the bug. ping from iputils-20001007-1 does not segfault (on alpha at least) with ping -c 1 -s 65690 localhost The bug is filed against i386, not alpha. And was verified by several people, including msw. So why do you mark it "resolved"? Reopening. It still segfaults on ia32, we need to test this against alexey's new release. This is exploitable in some of the web cgi ping applications people run too. See previous discussions on other security lists.. ok, so changing severity/priority to "security"/"high" again. Fixed in iputils-20001010-1. hm, and where can we find that errata update? It's now more than a week since RESOLVED/ERRATA and no errata update announced or on ftp. Reopening until the update hits the street. Patience, grasshopper :-) I take this comment as a personal offense. Is that RH's culture in dealing with security problems? |