HomeFreeBSD

ping: Fix handling of IP packet sizes

Description

ping: Fix handling of IP packet sizes

Ping reads raw IP packets to parse ICMP responses. When reading the
IP Header Len (IHL) ping was was taking the value from the provided
packet without any validation. This could lead to remotely triggerable
stack corruption.

Validate the IHL against expected and recieved data sizes when reading
from the received packet and when reading any quoted packets from within
the ICMP response.

Approved by: so, re (implicit)
Reviewed by: markj, asomers
Security: FreeBSD-SA-22:15.ping
Security: CVE-2022-23093
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #77
Differential Revision: https://reviews.freebsd.org/D37195

(cherry picked from commit 46d7b45a267b3d78c5054b210ff7b6c55bfca42b)
(cherry picked from commit 94395be05c14649cfc8e98551be9b2da8535637e)

Details

Provenance
thjAuthored on Nov 17 2022, 10:31 AM
gordonCommitted on Nov 29 2022, 11:17 PM
Reviewer
markj
Differential Revision
D37195: Remote stack corruption in ping (Embargoed)
Parents
rG84c657e5e14b: Add UPDATING entries and bump version
Branches
Unknown
Tags
Unknown