8000 Possible integer overflow with -s arg · Issue #542 · iputils/iputils · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Possible integer overflow with -s arg #542
New issue
New issue
Closed
#550
Closed
Possible integer overflow with -s arg#542
#550
Assignees
pevik
Labels
bugreproducer
Milestone
 
Next release summer 2024
@mimicria

Description

@mimicria
mimicria
opened on May 24, 2024

Hi!
Tainted variable rts.datalen is limited by the value INT_MAX:

iputils/ping/ping.c

Line 531 in 4db1de6

rts.datalen = strtol_or_err(optarg, _("invalid argument"), 0, INT_MAX);

Integer value rts.datalen + 28 is used by calling function malloc without checking its bounds:

iputils/ping/ping.c

Line 578 in 4db1de6

rts.outpack = malloc(rts.datalen + 28);

So UBSAN finds integer overflow in:

iputils/ping/ping.c

Line 994 in 4db1de6

hold += ((hold + 511) / 512) * (rts->optlen + 20 + 16 + 64 + 160);

where addition to rts->datalen also occurs.

../ping/ping.c:994:7: runtime error: signed integer overflow: -2147483641 + -1090518520 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../ping/ping.c:994:7 in

Steps to reproduce:

  1. Build with clang and sanitizers
export CC="clang"
export CFLAGS="-O0 -g -fsanitize=address,undefined"
export LDFLAGS="-O0 -g -fsanitize=address,undefined"
./configure
make
  1. Configure SAN:
export UBSAN_OPTIONS="log_path=$PWD/ubsan.log:check_initialization_order=1:halt_on_error=0"
export ASAN_OPTIONS="log_path=$PWD/asan.log:detect_leaks=1:check_initialization_order=1:verbosity=0:detect_stack_use_after_return=1:halt_on_error=0"
export LSAN_OPTIONS="log_path=$PWD/lsan.log:halt_on_error=0"
  1. Run ./ping -s 2147483647 192.168.0.1
  2. cat ubsan.log.xxx

Bug was found by the Svace static analyzer.

Metadata

Metadata

Assignees

Labels

bugreproducer

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0