Overview

File iputils-CVE-2025-48964_01.patch of Package iputils.39313

From 973c8a603eab54e1e78257feb6e3a6e0edee136a Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Fri, 9 May 2025 11:07:02 +0200
Subject: [PATCH 1/2] ping: Fix integer overflow in large -s and -l values

Maximum of preload value (-l) is 65536, but due multiplication with
packat size (-s) there can be integer overflow:

    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
    $ meson setup ..
    $ ninja && sudo ./ping/ping -c1 -l 65536 -s 30000 ::1
    ../ping_common.c:451:24: runtime error: signed integer overflow: 65536 * 46528 cannot be represented in type 'int'
    PING ::1 (::1) 30000 data bytes
    30008 bytes from ::1: icmp_seq=1 ttl=64 time=0.052 ms

Because setsockopt() requires int, instead of making hold and rcvbuf
variables bigger (long int) limit them to INT_MAX. This will often lead
to warning about rcvbuf is not enough to hold preload, because on
current kernel 6.14 and ICMP datagram socket is the max. socket buffer
size 425984, but probably better not to depend on this value.

After fix:

    $ sudo ./ping/ping -c1 -l 65536 -s 30000 127.0.0.1
    ./ping/ping: WARNING: buffer size overflow, reduce packet size or preload
    ./ping/ping: WARNING: probably, rcvbuf is not enough to hold preload
    PING 127.0.0.1 (127.0.0.1) 30000(30028) bytes of data.
    30008 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms

Link: https://github.com/iputils/iputils/pull/585#pullrequestreview-2820034501
Closes: https://github.com/iputils/iputils/pull/586
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Suggested-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
[ pvorel: backport of upstream f30f0e5397542a6ebf6bf1d5f6cd785637293393 to s20161105 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 ping_common.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ping_common.c b/ping_common.c
index 4eac46a..a01eb6e 100644
--- a/ping_common.c
+++ b/ping_common.c
@@ -474,9 +474,18 @@ void sock_setbufs(socket_st *sock, int alloc)
 		sndbuf = alloc;
 	setsockopt(sock->fd, SOL_SOCKET, SO_SNDBUF, (char *)&sndbuf, sizeof(sndbuf));
 
-	rcvbuf = hold = alloc * preload;
+	if (alloc > INT_MAX / preload) {
+		fprintf(stderr, "WARNING: buffer size overflow, reduce packet size or preload\n");
+		hold = INT_MAX;
+	} else {
+		hold = alloc * preload;
+	}
+
+	rcvbuf = hold;
+
 	if (hold < 65536)
 		hold = 65536;
+
 	setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold));
 	if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, (char *)&hold, &tmplen) == 0) {
 		if (hold < rcvbuf)
-- 
2.49.0
openSUSE Build Service is sponsored by
Places