File iputils-CVE-2025-48964_02.patch of Package iputils.39313

From 53f1aef35bf914edd72478805baa8a6c20c1b2c2 Mon Sep 17 00:00:00 2001
From: Cyril Hrubis <metan@ucw.cz>
Date: Fri, 16 May 2025 17:57:10 +0200
Subject: [PATCH 2/2] ping: Fix moving average rtt calculation

The rts->rtt counts an exponential weight moving average in a fixed
point, that means that even if we limit the triptime to fit into a 32bit
number the average will overflow because because fixed point needs eight
more bits.

We also have to limit the triptime to 32bit number because otherwise the
moving average may stil overflow if we manage to produce a large enough
triptime.

Fixes: GHSA-25fr-jw29-74f9
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Cyril Hrubis <metan@ucw.cz>
[ pvorel: backport of upstream afa36390394a6e0cceba03b52b59b6d41710608c to s20161105 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 ping.h        |  4 ++--
 ping_common.c | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ping.h b/ping.h
index cf6fabb..e154003 100644
--- a/ping.h
+++ b/ping.h
@@ -70,7 +70,7 @@
 #define SCHINT(a)	(((a) <= MININTERVAL) ? MININTERVAL : (a))
 
 /* 1000001 = 1000000 tv_sec + 1 tv_usec */
-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
+#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
 
 /* various options */
 extern int options;
@@ -187,7 +187,7 @@ extern long tmin;			/* minimum round trip time */
 extern long tmax;			/* maximum round trip time */
 extern long long tsum;			/* sum of all times, for doing average */
 extern long long tsum2;
-extern int rtt;
+extern uint64_t rtt;                   /* Exponential weight moving average calculated in fixed point */
 extern __u16 acked;
 extern int pipesize;
 
diff --git a/ping_common.c b/ping_common.c
index a01eb6e..aba7a8a 100644
--- a/ping_common.c
+++ b/ping_common.c
@@ -41,7 +41,7 @@ int options;
 int mark;
 int sndbuf;
 int ttl;
-int rtt;
+uint64_t rtt;
 int rtt_addend;
 __u16 acked;
 
@@ -312,7 +312,7 @@ int __schedule_exit(int next)
 
 static inline void update_interval(void)
 {
-	int est = rtt ? rtt/8 : interval*1000;
+	int est = rtt ? (int)(rtt / 8) : interval * 1000;
 
 	interval = (est+rtt_addend+500)/1000;
 	if (uid && interval < MINUSERINTERVAL)
@@ -803,7 +803,7 @@ restamp:
 			if (triptime > tmax)
 				tmax = triptime;
 			if (!rtt)
-				rtt = triptime*8;
+				rtt = ((uint64_t)triptime) * 8;
 			else
 				rtt += triptime-rtt/8;
 			if (options&F_ADAPTIVE)
@@ -954,7 +954,7 @@ void finish(void)
 	if (nreceived && (!interval || (options&(F_FLOOD|F_ADAPTIVE))) && ntransmitted > 1) {
 		int ipg = (1000000*(long long)tv.tv_sec+tv.tv_usec)/(ntransmitted-1);
 		printf("%sipg/ewma %d.%03d/%d.%03d ms",
-		       comma, ipg/1000, ipg%1000, rtt/8000, (rtt/8)%1000);
+		       comma, ipg/1000, ipg%1000, (int)rtt/8000, (int)((rtt/8)%1000));
 	}
 	putchar('\n');
 	exit(!nreceived || (deadline && nreceived < npackets));
@@ -979,7 +979,7 @@ void status(void)
 		fprintf(stderr, ", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms",
 		       (long)tmin/1000, (long)tmin%1000,
 		       tavg/1000, tavg%1000,
-		       rtt/8000, (rtt/8)%1000,
+		       (int)rtt/8000, (int)((rtt/8)%1000),
 		       (long)tmax/1000, (long)tmax%1000
 		       );
 	}
-- 
2.49.0