File iputils-CVE-2025-48964_02.patch of Package iputils.39312

From 31e4242924c5cc8b8e19fe547a17e1b041fd41bb Mon Sep 17 00:00:00 2001
From: Cyril Hrubis <chrubis@suse.cz>
Date: Fri, 16 May 2025 17:57:10 +0200
Subject: [PATCH 2/2] ping: Fix moving average rtt calculation

The rts->rtt counts an exponential weight moving average in a fixed
point, that means that even if we limit the triptime to fit into a 32bit
number the average will overflow because because fixed point needs eight
more bits.

We also have to limit the triptime to 32bit number because otherwise the
moving average may stil overflow if we manage to produce a large enough
triptime.

Fixes: CVE-2025-48964
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Cyril Hrubis <chrubis@suse.cz>
[ pvorel: backport of upstream afa36390394a6e0cceba03b52b59b6d41710608c to s20121221 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 ping_common.c | 10 +++++-----
 ping_common.h |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ping_common.c b/ping_common.c
index 8ba3021..28c456f 100644
--- a/ping_common.c
+++ b/ping_common.c
@@ -8,7 +8,7 @@ int options;
 int mark;
 int sndbuf;
 int ttl;
-int rtt;
+uint64_t rtt;
 int rtt_addend;
 __u16 acked;
 
@@ -430,7 +430,7 @@ int __schedule_exit(int next)
 
 static inline void update_interval(void)
 {
-	int est = rtt ? rtt/8 : interval*1000;
+	int est = rtt ? (int)(rtt / 8) : interval * 1000;
 
 	interval = (est+rtt_addend+500)/1000;
 	if (uid && interval < MINUSERINTERVAL)
@@ -912,7 +912,7 @@ restamp:
 			if (triptime > tmax)
 				tmax = triptime;
 			if (!rtt)
-				rtt = triptime*8;
+				rtt = ((uint64_t)triptime) * 8;
 			else
 				rtt += triptime-rtt/8;
 			if (options&F_ADAPTIVE)
@@ -1063,7 +1063,7 @@ void finish(void)
 	if (nreceived && (!interval || (options&(F_FLOOD|F_ADAPTIVE))) && ntransmitted > 1) {
 		int ipg = (1000000*(long long)tv.tv_sec+tv.tv_usec)/(ntransmitted-1);
 		printf("%sipg/ewma %d.%03d/%d.%03d ms",
-		       comma, ipg/1000, ipg%1000, rtt/8000, (rtt/8)%1000);
+		       comma, ipg/1000, ipg%1000, (int)rtt/8000, (int)((rtt/8)%1000));
 	}
 	putchar('\n');
 	exit(!nreceived || (deadline && nreceived < npackets));
@@ -1088,7 +1088,7 @@ void status(void)
 		fprintf(stderr, ", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms",
 		       (long)tmin/1000, (long)tmin%1000,
 		       tavg/1000, tavg%1000,
-		       rtt/8000, (rtt/8)%1000,
+		       (int)rtt/8000, (int)((rtt/8)%1000),
 		       (long)tmax/1000, (long)tmax%1000
 		       );
 	}
diff --git a/ping_common.h b/ping_common.h
index dac97b3..876b53a 100644
--- a/ping_common.h
+++ b/ping_common.h
@@ -44,7 +44,7 @@
 #define SCHINT(a)	(((a) <= MININTERVAL) ? MININTERVAL : (a))
 
 /* 1000001 = 1000000 tv_sec + 1 tv_usec */
-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
+#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
 
 /* various options */
 extern int options;
@@ -163,7 +163,7 @@ extern long tmin;			/* minimum round trip time */
 extern long tmax;			/* maximum round trip time */
 extern long long tsum;			/* sum of all times, for doing average */
 extern long long tsum2;
-extern int rtt;
+extern uint64_t rtt;                   /* Exponential weight moving average calculated in fixed point */
 extern __u16 acked;
 extern int pipesize;
 
-- 
2.49.0