CVS commit: [netbsd-7-0] src/sbin/ping

2017-05-11 Thread Soren Jacobsen 
Module Name:src
Committed By:   snj
Date:   Fri May 12 05:21:43 UTC 2017

Modified Files:
src/sbin/ping [netbsd-7-0]: ping.c

Log Message:
Pull up following revision(s) (requested by ryo in ticket #1390):
sbin/ping/ping.c: revision 1.116
Fix cksum calculation for clearing the cached route.
In ping.c:r1.104, the size of echoreply packet was changed to ICMP_MINLEN,
Therefore also calculation size must be ICMP_MINLEN.


To generate a diff of this commit:
cvs rdiff -u -r1.107.4.1.2.1 -r1.107.4.1.2.2 src/sbin/ping/ping.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sbin/ping/ping.c
diff -u src/sbin/ping/ping.c:1.107.4.1.2.1 src/sbin/ping/ping.c:1.107.4.1.2.2
--- src/sbin/ping/ping.c:1.107.4.1.2.1	Sun Dec 18 08:40:54 2016
+++ src/sbin/ping/ping.c	Fri May 12 05:21:43 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ping.c,v 1.107.4.1.2.1 2016/12/18 08:40:54 snj Exp $	*/
+/*	$NetBSD: ping.c,v 1.107.4.1.2.2 2017/05/12 05:21:43 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -58,7 +58,7 @@
 
 #include 
 #ifndef lint
-__RCSID("$NetBSD: ping.c,v 1.107.4.1.2.1 2016/12/18 08:40:54 snj Exp $");
+__RCSID("$NetBSD: ping.c,v 1.107.4.1.2.2 2017/05/12 05:21:43 snj Exp $");
 #endif
 
 #include 
@@ -883,7 +883,7 @@ pinger(void)
 		opack_icmp.icmp_id = ~ident;
 		opack_icmp.icmp_cksum = 0;
 		opack_icmp.icmp_cksum = in_cksum((u_int16_t *)_icmp,
-		phdrlen);
+		ICMP_MINLEN);
 		sw = 0;
 		if (prog_setsockopt(sloop, IPPROTO_IP, IP_HDRINCL,
 			   (char *), sizeof(sw)) < 0)

CVS commit: [netbsd-7-0] src/sbin/ping

2016-12-18 Thread Soren Jacobsen 
Module Name:src
Committed By:   snj
Date:   Sun Dec 18 08:40:54 UTC 2016

Modified Files:
src/sbin/ping [netbsd-7-0]: ping.c

Log Message:
Pull up following revision(s) (requested by dholland in ticket #1333):
sbin/ping/ping.c: revision 1.113
PR bin/36997 Zafer Aydogan: ping doesn't validate numeric inputs enough.
Check for values between INT_MAX and LONG_MAX (if they're different)
when using strtol to get an int. This applies to the -c and -l options;
the other uses were already checked.
Also limit the inter-packet interval given with -i to values that
don't cause integer overflow calling poll() with milliseconds.
Really large intervals (the number is read as floating point) can
produce positive poll() values but negative integers when converted to
struct timespec; this produces behavior akin to using -l at first and
could be construed as a local DoS vulnerability.


To generate a diff of this commit:
cvs rdiff -u -r1.107.4.1 -r1.107.4.1.2.1 src/sbin/ping/ping.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sbin/ping/ping.c
diff -u src/sbin/ping/ping.c:1.107.4.1 src/sbin/ping/ping.c:1.107.4.1.2.1
--- src/sbin/ping/ping.c:1.107.4.1	Tue Apr 14 05:26:20 2015
+++ src/sbin/ping/ping.c	Sun Dec 18 08:40:54 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: ping.c,v 1.107.4.1 2015/04/14 05:26:20 snj Exp $	*/
+/*	$NetBSD: ping.c,v 1.107.4.1.2.1 2016/12/18 08:40:54 snj Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -58,7 +58,7 @@
 
 #include 
 #ifndef lint
-__RCSID("$NetBSD: ping.c,v 1.107.4.1 2015/04/14 05:26:20 snj Exp $");
+__RCSID("$NetBSD: ping.c,v 1.107.4.1.2.1 2016/12/18 08:40:54 snj Exp $");
 #endif
 
 #include 
@@ -291,11 +291,17 @@ main(int argc, char *argv[])
 			compat = 1;
 			break;
 		case 'c':
-			npackets = strtol(optarg, , 0);
-			if (*p != '\0' || npackets <= 0)
+			l = strtol(optarg, , 0);
+			if (*p != '\0' || l <= 0)
 errx(EXIT_FAILURE,
 "Bad/invalid number of packets: %s",
 optarg);
+#if INT_MAX < LONG_MAX
+			if (l > INT_MAX)
+errx(EXIT_FAILURE,
+"Too many packets to count: %ld", l);
+#endif
+			npackets = l;
 			break;
 		case 'D':
 			pingflags |= F_DF;
@@ -314,12 +320,27 @@ main(int argc, char *argv[])
 			if (*p != '\0' || interval <= 0)
 errx(EXIT_FAILURE, "Bad/invalid interval: %s",
 optarg);
+			/*
+			 * In order to avoid overflowing the microseconds
+			 * argument of poll() the interval must be less than
+			 * INT_MAX/1000. Limit it to one second less than
+			 * that to be safe.
+			 */
+			if (interval >= INT_MAX/1000.0 - 1.0)
+errx(EXIT_FAILURE,
+"Timing interval %g too large", interval);
 			break;
 		case 'l':
-			preload = strtol(optarg, , 0);
-			if (*p != '\0' || preload < 0)
+			l = strtol(optarg, , 0);
+			if (*p != '\0' || l < 0)
 errx(EXIT_FAILURE, "Bad/invalid preload value: "
 "%s", optarg);
+#if INT_MAX < LONG_MAX
+			if (l > INT_MAX)
+errx(EXIT_FAILURE,
+"Too many preload packets: %ld", l);
+#endif
+			preload = l;
 			break;
 		case 'n':
 			pingflags |= F_NUMERIC;