[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] GNU ping local DoS bug
From: |
DownBload / Illegal Instruction Labs |
Subject: |
[bug-inetutils] GNU ping local DoS bug |
Date: |
Mon, 20 Oct 2003 14:32:34 +0200 |
Hi,
I was looking Inetutils-1.4.2 source, and I spoted potential problem with
GNU ping.
It is possible to force ping to allocate as much heap memory as we want.
No sanity check is done with -s (packet size) option, so we can give
99999999 bytes as 'optarg' to -s option. Ping will try to allocate 99999999
bytes (in fact, it will be limited to size_t), and that will result in a
local DoS.
Complete local DoS can be done very trivial:
while :; do
/usr/local/bin/ping -s 99999999 localhost &
done
Other ping programs will do something like this:
if (packet_size > (65535 - IP_HDR - ICMP_HDR))
exit (-1);
else
ok();
What do you think?
source ping.c
------------------------------------------
...
90: size_t data_length = PING_DATALEN;
...
...
173: case 's':
174: data_length = atoi (optarg);
175: break;
...
...
256: void
257: init_data_buffer (u_char *pat, int len)
258: {
259: int i = 0;
260: u_char *p;
261:
262: if (data_length == 0)
263: return;
264: data_buffer = malloc (data_length); // <- problem
265: if (!data_buffer)
266: {
267: fprintf (stderr, "ping: out of memory\n");
268: exit (1);
269: }
...
------------------------------------------
Regards.
------------------------------------
DownBload / Illegal Instruction Labs
Security Research & Education
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com
"Born under the lucky star magical,
but on this earth generally tragical."
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
- [bug-inetutils] GNU ping local DoS bug,
DownBload / Illegal Instruction Labs <=