From nobody Tue Nov 29 23:15:30 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMJ8z1qrnz4hpnW;
	Tue, 29 Nov 2022 23:15:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NMJ8z1G9pz3wjf;
	Tue, 29 Nov 2022 23:15:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1669763731;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b/ClDw1V4irbtYVmNtu2s+zt934Y18IkoT17XyYzr50=;
	b=cvU8HKToHMFpokr+7B09VIHnQ3OSb4PuI5b7E3LQWmqAJAD//BSNi7hp/MUjs/CnG8/POW
	u4BdZ3c7nLHt+MaDQfy42LNqidawahk3ILg4kxY0XMXs07sNpEENgYql5o2lgjqK8GcdOx
	tyGAb9ChP4C5PYx7sKiMu0KRbrhPUnH+Tvjzb5lCRlp4Te3Om1NVngp+wAsCyKcHAWgV99
	QqlJz3ZZY1LPOku/zi/m7TXoF3oEDvD5il4PN0Ggd/iR6dlqtdx2qmEn2IQ3bBgo30zOUz
	xdkUg090yslAWWT41RTTyxKAl/kNs/3Yh6WdALlyPz6Zk+4j0YmRFWHPuXGFgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1669763731;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b/ClDw1V4irbtYVmNtu2s+zt934Y18IkoT17XyYzr50=;
	b=sgAGjRPzSm/2ZaSGifPs3zqP+NamP4Ve2GX7WenTvMHUc1BY51WCdIi9ULKNLGOrRD8X2/
	GX+JuoNr1j0Ov3D05RfHj6xRVtwYLV0TxS0zywucZ00wrnvGvv82KzwU4qExw+SLx+wcac
	Rbg43Qjshs8DlUC4hszcrKy1GXybxhIrPA7nfDluDPNXLcVOUb0NwpF6W5RtXGFQQEeP6j
	wF5DWI8LE2lk2s9myoKxMnXQLo6UcroCRsUYfR5nX6asE0i1m9UC3XmN4aBu1hGZXCXfm7
	I0KQ+sgt+KgqxeOSve6P7ZbQ938dPoEKSla+AfsXfczqvx0Z1btpJ54SMTrcXw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669763731; a=rsa-sha256; cv=none;
	b=dhrY0qkG5Irrmi7eSj+omFMBXahicgp5cSYuSNlMlHSGVy1rFp6M9IcDe/eKfFxtBRG8sZ
	VWuJv1cfsM5CySx6TFoj++kmYLqpYZmnQ6b9c4GbOFfGY7guIFVdH7NXPH7kypOFEDrugu
	SOA9tGJdpInkYfLQsijD6PYShWaU064xyRe4YPNslrdUfreJibTA3rDWlEj58R3QT29Zji
	2hmWV1Vn2x99KmAPW0vCKTWuFGglpkfW1RofXrZGbJwL6DTFahTc0E3Pyqaa3NunSWNy+D
	qElUL7NkR4rOhndTXqCumaPzm7dvu398i0sJ8MRzPt2FcSMmD11wFEeK7uyaeQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NMJ8z0JcYzZs5;
	Tue, 29 Nov 2022 23:15:31 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2ATNFUEM027803;
	Tue, 29 Nov 2022 23:15:30 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2ATNFUDv027802;
	Tue, 29 Nov 2022 23:15:30 GMT
	(envelope-from git)
Date: Tue, 29 Nov 2022 23:15:30 GMT
Message-Id: <202211292315.2ATNFUDv027802@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Gordon Tetlow <gordon@FreeBSD.org>
Subject: git: 66c7b53d9516 - releng/13.1 - ping: Fix handling of IP packet sizes
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gordon
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.1
X-Git-Reftype: branch
X-Git-Commit: 66c7b53d9516b10adc39861647fe6e179f0fa7a6
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch releng/13.1 has been updated by gordon:

URL: https://cgit.FreeBSD.org/src/commit/?id=66c7b53d9516b10adc39861647fe6e179f0fa7a6

commit 66c7b53d9516b10adc39861647fe6e179f0fa7a6
Author:     Tom Jones <thj@FreeBSD.org>
AuthorDate: 2022-11-17 10:31:38 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2022-11-29 23:00:43 +0000

    ping: Fix handling of IP packet sizes
    
    Ping reads raw IP packets to parse ICMP responses. When reading the
    IP Header Len (IHL) ping was was taking the value from the provided
    packet without any validation. This could lead to remotely triggerable
    stack corruption.
    
    Validate the IHL against expected and recieved data sizes when reading
    from the received packet and when reading any quoted packets from within
    the ICMP response.
    
    Approved by:    so
    Reviewed by:    markj, asomers
    Security:       FreeBSD-SA-22:15.ping
    Security:       CVE-2022-23093
    Sponsored by:   NetApp, Inc.
    Sponsored by:   Klara, Inc.
    X-NetApp-PR:    #77
    Differential Revision: https://reviews.freebsd.org/D37195
    
    (cherry picked from commit 46d7b45a267b3d78c5054b210ff7b6c55bfca42b)
    (cherry picked from commit 186f495d4be12a9184d2b11183c55b27b879765f)
---
 sbin/ping/ping.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 60 insertions(+), 9 deletions(-)

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index be535f72146a..5de58505a276 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -952,6 +952,9 @@ ping(int argc, char *const *argv)
 				warn("recvmsg");
 				continue;
 			}
+			/* If we have a 0 byte read from recvfrom continue */
+			if (cc == 0)
+				continue;
 #ifdef SO_TIMESTAMP
 			if (cmsg != NULL &&
 			    cmsg->cmsg_level == SOL_SOCKET &&
@@ -1133,8 +1136,10 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 	struct icmp icp;
 	struct ip ip;
 	const u_char *icmp_data_raw;
+	ssize_t icmp_data_raw_len;
 	double triptime;
-	int dupflag, hlen, i, j, recv_len;
+	int dupflag, i, j, recv_len;
+	uint8_t hlen;
 	uint16_t seq;
 	static int old_rrlen;
 	static char old_rr[MAX_IPOPTLEN];
@@ -1144,15 +1149,27 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 	const u_char *oicmp_raw;
 
 	/*
-	 * Get size of IP header of the received packet. The
-	 * information is contained in the lower four bits of the
-	 * first byte.
+	 * Get size of IP header of the received packet.
+	 * The header length is contained in the lower four bits of the first
+	 * byte and represents the number of 4 byte octets the header takes up.
+	 *
+	 * The IHL minimum value is 5 (20 bytes) and its maximum value is 15
+	 * (60 bytes).
 	 */
 	memcpy(&l, buf, sizeof(l));
 	hlen = (l & 0x0f) << 2;
-	memcpy(&ip, buf, hlen);
 
-	/* Check the IP header */
+	/* Reject IP packets with a short header */
+	if (hlen < sizeof(struct ip)) {
+		if (options & F_VERBOSE)
+			warn("IHL too short (%d bytes) from %s", hlen,
+			     inet_ntoa(from->sin_addr));
+		return;
+	}
+
+	memcpy(&ip, buf, sizeof(struct ip));
+
+	/* Check packet has enough data to carry a valid ICMP header */
 	recv_len = cc;
 	if (cc < hlen + ICMP_MINLEN) {
 		if (options & F_VERBOSE)
@@ -1164,6 +1181,7 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 #ifndef icmp_data
 	icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_ip);
 #else
+	icmp_data_raw_len = cc - (hlen + offsetof(struct icmp, icmp_data));
 	icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_data);
 #endif
 
@@ -1293,12 +1311,45 @@ pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
 		 * as root to avoid leaking information not normally
 		 * available to those not running as root.
 		 */
+
+		/*
+		 * If we don't have enough bytes for a quoted IP header and an
+		 * ICMP header then stop.
+		 */
+		if (icmp_data_raw_len <
+				(ssize_t)(sizeof(struct ip) + sizeof(struct icmp))) {
+			if (options & F_VERBOSE)
+				warnx("quoted data too short (%zd bytes) from %s",
+					icmp_data_raw_len, inet_ntoa(from->sin_addr));
+			return;
+		}
+
 		memcpy(&oip_header_len, icmp_data_raw, sizeof(oip_header_len));
 		oip_header_len = (oip_header_len & 0x0f) << 2;
-		memcpy(&oip, icmp_data_raw, oip_header_len);
+
+		/* Reject IP packets with a short header */
+		if (oip_header_len < sizeof(struct ip)) {
+			if (options & F_VERBOSE)
+				warnx("inner IHL too short (%d bytes) from %s",
+					oip_header_len, inet_ntoa(from->sin_addr));
+			return;
+		}
+
+		/*
+		 * Check against the actual IHL length, to protect against
+		 * quoated packets carrying IP options.
+		 */
+		if (icmp_data_raw_len <
+				(ssize_t)(oip_header_len + sizeof(struct icmp))) {
+			if (options & F_VERBOSE)
+				warnx("inner packet too short (%zd bytes) from %s",
+				     icmp_data_raw_len, inet_ntoa(from->sin_addr));
+			return;
+		}
+
+		memcpy(&oip, icmp_data_raw, sizeof(struct ip));
 		oicmp_raw = icmp_data_raw + oip_header_len;
-		memcpy(&oicmp, oicmp_raw, offsetof(struct icmp, icmp_id) +
-		    sizeof(oicmp.icmp_id));
+		memcpy(&oicmp, oicmp_raw, sizeof(struct icmp));
 
 		if (((options & F_VERBOSE) && uid == 0) ||
 		    (!(options & F_QUIET2) &&