[Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools



====[ Description ]====

An integer overflow was found in iputils/ping_common.c main_loop() function
which could lead to excessive CPU usage when triggered (could lead to DoS). This
means that both ping and ping6 are vulnerable.


====[ Proof-Of-Concept ]====

Specify "big" interval (-i option) for ping/ping6 tool:
{{{
$ ping -i 3600 google.com
PING google.com (173.194.66.102) 56(84) bytes of data.
64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 time=11.4 ms
[...]
}}}

And check your CPU usage (top, htop, etc.)


====[ Explanation ]====

Here, ping will loop in main_loop() loop in this section of code :
{{{
/* from iputils-s20101006 source */
/* ping_common.c */

546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
547 {
[...]
559 for (;;) {
[...]
572 do {
573 next = pinger();
574 next = schedule_exit(next);
575 } while (next <= 0);
[...]
588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || next<SCHINT(interval)) {
[...]
593 if (1000*next <= 1000000/(int)HZ) {
}}}

If interval parameter (-i) is set, then condition L593 will overflow (ie. value
exceeding sizeof(signed integer)), making this statement "always true" for big
values (e.g. -i 3600). As a consequence, ping process will start looping
actively as long as condition is true (could be pretty long).

As far as looked, this bug is unlikely to be exploitable besides provoking
Denial-Of-Service.


====[ Affected versions ]====

Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on iputils
version 20101006. ping6 seems also to be affected since it's relying on same
ping_common.c functions.

Since iputils is not maintained any longer
(http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied from
source.


====[ Patch ]====
Quick'n dirty patch (full patch in appendix) is to cast test result as long long:
{{{
593 if (((long long)1000*next) <= (long long)1000000/(int)HZ) {
}}}


====[ Credits ]====
* Christophe Alladoum (HSC)
* Romain Coltel (HSC)


--
Christophe Alladoum - <christophe.alladoum@xxxxxx>
Hervé Schauer Consultants - <http://www.hsc.fr>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools
    ... An integer overflow was found in iputils/ping_common.c main_loopfunction ... which could lead to excessive CPU usage when triggered. ... means that both ping and ping6 are vulnerable. ... Quick'n dirty patch is to cast test result as long long: ...
    (Full-Disclosure)
  • Re: [RFC] ipv4: add ICMP socket kind
    ... Vasiliy can include it in the next revision of the patch he posts. ... would consume somewhat more resources than just a piece of extra kernel ... I am about the fscaps drawbacks... ... needed for ping available as well. ...
    (Linux-Kernel)
  • Re: [GIT PULL] Samsung fixes for 2.6.37-rc4
    ... Do you think it's normal to force people to ping you for the same four ... it's at least not optimal and not good for kernel development process. ... four lines patch for 4 months. ... SW Solution Development Team, Samsung Electronics Co., Ltd. ...
    (Linux-Kernel)
  • [PATCH] SMACK netlabel fixes
    ... the following patch fixes a few issues in the smack/netlabel area: ... Some basics ping tests to '@' and other label combination seems ok ... - * sets of single label hosts. ... struct in_addr *liap; ...
    (Linux-Kernel)