An integer overflow was found in the iputils/ping_common.c main_loop() function. This issue can lead to a denial of service condition.
bcacc8a29465d117a35c8296adb71bf234370fa89930a6345a30c4ab42c642d9====[ Description ]====
An integer overflow was found in iputils/ping_common.c main_loop() function
which could lead to excessive CPU usage when triggered (could lead to DoS). This
means that both ping and ping6 are vulnerable.
====[ Proof-Of-Concept ]====
Specify "big" interval (-i option) for ping/ping6 tool:
{{{
$ ping -i 3600 google.com
PING google.com (173.194.66.102) 56(84) bytes of data.
64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 time=11.4 ms
[...]
}}}
And check your CPU usage (top, htop, etc.)
====[ Explanation ]====
Here, ping will loop in main_loop() loop in this section of code :
{{{
/* from iputils-s20101006 source */
/* ping_common.c */
546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
547 {
[...]
559 for (;;) {
[...]
572 do {
573 next = pinger();
574 next = schedule_exit(next);
575 } while (next <= 0);
[...]
588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || next<SCHINT(interval)) {
[...]
593 if (1000*next <= 1000000/(int)HZ) {
}}}
If interval parameter (-i) is set, then condition L593 will overflow (ie. value
exceeding sizeof(signed integer)), making this statement "always true" for big
values (e.g. -i 3600). As a consequence, ping process will start looping
actively as long as condition is true (could be pretty long).
As far as looked, this bug is unlikely to be exploitable besides provoking
Denial-Of-Service.
====[ Affected versions ]====
Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on iputils
version 20101006. ping6 seems also to be affected since it's relying on same
ping_common.c functions.
Since iputils is not maintained any longer
(http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied from
source.
====[ Patch ]====
Quick'n dirty patch (full patch in appendix) is to cast test result as long long:
{{{
593 if (((long long)1000*next) <= (long long)1000000/(int)HZ) {
}}}
====[ Credits ]====
* Christophe Alladoum (HSC)
* Romain Coltel (HSC)
--
Christophe Alladoum - <christophe.alladoum@hsc.fr>
Hervé Schauer Consultants - <http://www.hsc.fr>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed