|
OpenBSD 2.4: Buffer overflow in ping(8) |
|
|
|
Posted by LinuxSecurity.com Team
|
A buffer overflow existed in ping(8), which may have a security issue.
Apply by doing
cd /usr/src/sbin/ping
patch -p0 < ping.patch
And then rebuild ping
Index: ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.35
retrieving revision 1.37
diff -u -r1.35 -r1.37
--- ping.c 1998/05/17 01:46:51 1.35
+++ ping.c 1999/02/23 20:04:37 1.37
@@ -47,7 +47,7 @@
#if 0
static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93";
#else
-static char rcsid[] = "$OpenBSD: ping.c,v 1.35 1998/05/17 01:46:51 angelos Exp
$";
+static char rcsid[] = "$OpenBSD: ping.c,v 1.37 1999/02/23 20:04:37 kjell Exp
$";
#endif
#endif /* not lint */
@@ -99,7 +99,7 @@
#define DEFDATALEN (64 - 8) /* default data length
*/
#define MAXIPLEN 60
#define MAXICMPLEN 76
-#define MAXPACKET (65536 - 60 - 8) /* max packet size */
+#define MAXPAYLOAD (IP_MAXPACKET - MAXIPLEN - 8) /* max ICMP
payload size */
#define MAXWAIT_DEFAULT 10 /* secs to wait for
response */
#define NROUTES 9 /* number of record
route slots */
@@ -143,7 +143,7 @@
struct sockaddr_in whence; /* Which interface we come from */
int datalen = DEFDATALEN;
int s; /* socket file descriptor */
-u_char outpackhdr[MAXPACKET];
+u_char outpackhdr[IP_MAXPACKET]; /* Max packet size = 65535 */
u_char *outpack = outpackhdr+sizeof(struct ip);
char BSPACE = '\b'; /* characters written for flood */
char DOT = '.';
@@ -217,7 +217,7 @@
while ((ch = getopt(argc, argv, "DI:LRS:c
|
|
