bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] GNU ping local DoS bug


From: DownBload / Illegal Instruction Labs
Subject: [bug-inetutils] GNU ping local DoS bug
Date: Mon, 20 Oct 2003 14:32:34 +0200

Hi,

I was looking Inetutils-1.4.2 source, and I spoted potential problem with GNU ping.
It is possible to force ping to allocate as much heap memory as we want.
No sanity check is done with -s (packet size) option, so we can give 99999999 bytes as 'optarg' to -s option. Ping will try to allocate 99999999 bytes (in fact, it will be limited to size_t), and that will result in a local DoS.

Complete local DoS can be done very trivial:
while :; do
/usr/local/bin/ping -s 99999999 localhost &
done


Other ping programs will do something like this:
if (packet_size > (65535 - IP_HDR - ICMP_HDR))
 exit (-1);
else
  ok();

What do you think?


source ping.c
------------------------------------------
...
90: size_t data_length = PING_DATALEN;
...

...
173:        case 's':
174:          data_length = atoi (optarg);
175:          break;
...

...
256: void
257: init_data_buffer (u_char *pat, int len)
258: {
259:   int i = 0;
260:   u_char *p;
261:
262:  if (data_length == 0)
263:    return;
264:  data_buffer = malloc (data_length);            // <- problem
265:  if (!data_buffer)
266:    {
267:      fprintf (stderr, "ping: out of memory\n");
268:      exit (1);
269:    }
...

------------------------------------------

Regards.

------------------------------------
DownBload / Illegal Instruction Labs
Security Research & Education
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com

"Born under the lucky star magical,
 but on this earth generally tragical."

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus





reply via email to

[Prev in Thread] Current Thread [Next in Thread]