OpenBSD 2.4: Buffer overflow in ping(8)
Posted by LinuxSecurity.com Team   
OpenBSD A buffer overflow existed in ping(8), which may have a security issue.
Apply by doing
	cd /usr/src/sbin/ping
	patch -p0 < ping.patch

And then rebuild ping

Index: ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.35
retrieving revision 1.37
diff -u -r1.35 -r1.37
--- ping.c	1998/05/17 01:46:51	1.35
+++ ping.c	1999/02/23 20:04:37	1.37
@@ -47,7 +47,7 @@
 #if 0
 static char sccsid[] = "@(#)ping.c	8.1 (Berkeley) 6/5/93";
 #else
-static char rcsid[] = "$OpenBSD: ping.c,v 1.35 1998/05/17 01:46:51 angelos Exp 
$";
+static char rcsid[] = "$OpenBSD: ping.c,v 1.37 1999/02/23 20:04:37 kjell Exp 
$";
 #endif
 #endif /* not lint */
 
@@ -99,7 +99,7 @@
 #define	DEFDATALEN	(64 - 8)		/* default data length 
*/
 #define	MAXIPLEN	60
 #define	MAXICMPLEN	76
-#define	MAXPACKET	(65536 - 60 - 8)	/* max packet size */
+#define	MAXPAYLOAD	(IP_MAXPACKET - MAXIPLEN - 8) /* max ICMP 
payload size */
 #define	MAXWAIT_DEFAULT	10			/* secs to wait for 
response */
 #define	NROUTES		9			/* number of record 
route slots */
 
@@ -143,7 +143,7 @@
 struct sockaddr_in whence;		/* Which interface we come from */
 int datalen = DEFDATALEN;
 int s;				/* socket file descriptor */
-u_char outpackhdr[MAXPACKET];
+u_char outpackhdr[IP_MAXPACKET]; /* Max packet size = 65535 */
 u_char *outpack = outpackhdr+sizeof(struct ip);
 char BSPACE = '\b';		/* characters written for flood */
 char DOT = '.';
@@ -217,7 +217,7 @@
 	while ((ch = getopt(argc, argv, "DI:LRS:c