l2ping(8) and -f switch

Mon Mar 28 00:12:58 UTC 2011

hi there,

i've just noticed the -f switch to l2ping(8) doesn't require super-user
privileges. wouldn't this allow a regular user to flood any bluetooth device
with massive ping requests?

thus i believe making the -f switch only accessable to super-users (in
accordance with ping(8)/ping6(8)) would increase security.

i've attached a patch which implements this functionality in addition to some
other minor corrections to the l2ping(8) C source and man page.

cheers.
alex

-- 
a13x
-------------- next part --------------

diff --git a/usr.sbin/bluetooth/l2ping/l2ping.8 b/usr.sbin/bluetooth/l2ping/l2ping.8
index 477f4ec..1b1d30b 100644
--- a/usr.sbin/bluetooth/l2ping/l2ping.8
+++ b/usr.sbin/bluetooth/l2ping/l2ping.8
@@ -25,7 +25,7 @@
 .\" $Id: l2ping.8,v 1.3 2003/05/21 01:00:19 max Exp $
 .\" $FreeBSD$
 .\"
-.Dd June 14, 2002
+.Dd March 28, 2011
 .Dt L2PING 8
 .Os
 .Sh NAME
@@ -36,7 +36,7 @@
 .Op Fl fhn
 .Fl a Ar remote
 .Op Fl c Ar count
-.Op Fl i Ar delay
+.Op Fl i Ar wait
 .Op Fl S Ar source
 .Op Fl s Ar size
 .Sh DESCRIPTION
@@ -65,6 +65,7 @@ will operate until interrupted.
 .It Fl f
 .Dq Flood
 ping, i.e., no delay between packets.
+Only the super-user may use this option.
 .It Fl h
 Display usage message and exit.
 .It Fl i Ar wait
@@ -109,7 +110,7 @@ Some implementations may not like large sizes and may hang or even crash.
 .Xr ng_l2cap 4 ,
 .Xr l2control 8
 .Sh AUTHORS
-.An Maksim Yevmenkin Aq m_evmenkin at yahoo.com
+.An Maksim Yevmenkin Aq emax at FreeBSD.org
 .Sh BUGS
 Could collect more statistic.
 Could check for duplicated, corrupted and lost packets.
diff --git a/usr.sbin/bluetooth/l2ping/l2ping.c b/usr.sbin/bluetooth/l2ping/l2ping.c
index d7e1b1e..2978afd 100644
--- a/usr.sbin/bluetooth/l2ping/l2ping.c
+++ b/usr.sbin/bluetooth/l2ping/l2ping.c
@@ -31,6 +31,7 @@
 
 #include <sys/ioctl.h>
 #include <sys/time.h>
+#include <sys/types.h>
 #include <arpa/inet.h>
 #include <netinet/in.h>
 #include <assert.h>
@@ -106,6 +107,8 @@ main(int argc, char *argv[])
 			break;
 
 		case 'f':
+			if (getuid())
+				errx(1, "Must be superuser to flood ping");
 			flood = 1;
 			break;
 
@@ -272,8 +275,8 @@ tv2msec(struct timeval const *tvp)
 static void
 usage(void)
 {
-	fprintf(stderr, "Usage: l2ping -a bd_addr " \
-		"[-S bd_addr -c count -i wait -n -s size -h]\n");
+	fprintf(stderr, "Usage: l2ping [-fhn] -a remote " \
+		"[-c count] [-i wait] [-S source] [-s size]\n");
 	fprintf(stderr, "Where:\n");
 	fprintf(stderr, "  -a remote  Specify remote device to ping\n");
 	fprintf(stderr, "  -c count   Number of packets to send\n");
