File iputils-CVE-2025-48964_01.patch of Package iputils.39312
From f1fe605d8b8783475c96c39084154991b00acc78 Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Fri, 9 May 2025 11:07:02 +0200
Subject: [PATCH 1/2] ping: Fix integer overflow in large -s and -l values
Maximum of preload value (-l) is 65536, but due multiplication with
packat size (-s) there can be integer overflow:
$ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
$ meson setup ..
$ ninja && sudo ./ping/ping -c1 -l 65536 -s 30000 ::1
../ping_common.c:451:24: runtime error: signed integer overflow: 65536 * 46528 cannot be represented in type 'int'
PING ::1 (::1) 30000 data bytes
30008 bytes from ::1: icmp_seq=1 ttl=64 time=0.052 ms
Because setsockopt() requires int, instead of making hold and rcvbuf
variables bigger (long int) limit them to INT_MAX. This will often lead
to warning about rcvbuf is not enough to hold preload, because on
current kernel 6.14 and ICMP datagram socket is the max. socket buffer
size 425984, but probably better not to depend on this value.
After fix:
$ sudo ./ping/ping -c1 -l 65536 -s 30000 127.0.0.1
./ping/ping: WARNING: buffer size overflow, reduce packet size or preload
./ping/ping: WARNING: probably, rcvbuf is not enough to hold preload
PING 127.0.0.1 (127.0.0.1) 30000(30028) bytes of data.
30008 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms
Link: https://github.com/iputils/iputils/pull/585#pullrequestreview-2820034501
Closes: https://github.com/iputils/iputils/pull/586
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Suggested-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
[ pvorel: backport of upstream f30f0e5397542a6ebf6bf1d5f6cd785637293393 to s20121221 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
ping_common.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ping_common.c b/ping_common.c
index c13ebc2..8ba3021 100644
--- a/ping_common.c
+++ b/ping_common.c
@@ -586,9 +586,18 @@ void sock_setbufs(int icmp_sock, int alloc)
sndbuf = alloc;
setsockopt(icmp_sock, SOL_SOCKET, SO_SNDBUF, (char *)&sndbuf, sizeof(sndbuf));
- rcvbuf = hold = alloc * preload;
+ if (alloc > INT_MAX / preload) {
+ fprintf(stderr, "WARNING: buffer size overflow, reduce packet size or preload\n");
+ hold = INT_MAX;
+ } else {
+ hold = alloc * preload;
+ }
+
+ rcvbuf = hold;
+
if (hold < 65536)
hold = 65536;
+
setsockopt(icmp_sock, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold));
if (getsockopt(icmp_sock, SOL_SOCKET, SO_RCVBUF, (char *)&hold, &tmplen) == 0) {
if (hold < rcvbuf)
--
2.49.0
