sys/shell/ping: fix ping packet size overflow #19927
Conversation
krzysztof-cabaj
requested review from
miri64,
haukepetersen,
PeterKietzmann and
cgundogan
as code owners
| @@ -150,6 +150,12 @@ int gnrc_icmpv6_echo_send(const gnrc_netif_t *netif, const ipv6_addr_t *addr, | |||
| ipv6_hdr_t *ipv6; | |||
| uint8_t *databuf; | |||
|
|
|||
| /* max IPv6 payload 65535 minus 8 bytes of icmp header = 65527 */ | |||
| if (len > 65527) { | |||
There was a problem hiding this comment.
Ah and can you please use e.g. UINT16_MAX - sizeof(icmpv6_hdr_t) instead of the magic number, then you don't need the comment ;-).
There was a problem hiding this comment.
Ok. Fixed. If this is not a problem I would like to leave this comment.
sys/shell/cmds/gnrc_icmpv6_echo.c
Outdated
| data->datalen = atoi(argv[i]); | ||
| value = atoi(argv[i]); | ||
|
|
||
| if(value < 0 || value > 65527) { |
krzysztof-cabaj
force-pushed
the
gnrc_icmp6_overflow
branch
from
0dcf20b to
8c7116e
Compare
|
Fixed and squashed. |
krzysztof-cabaj
force-pushed
the
gnrc_icmp6_overflow
branch
from
a2a7560 to
1145a41
Compare
|
🕐 Waiting for PR status (GitHub check) to be set, probably by CI. Bors will automatically try to run when all required PR statuses are set. |
miri64
added
Type: bug
|
bors merge |
19927: sys/shell/ping: fix ping packet size overflow r=miri64 a=krzysztof-cabaj ### Contribution description In #19829 `@mchesser` point out integer overflow in the ```ping``` command and API. This PR fix this issue in two ways: 1) Add protection in the API. 2) Add protection in the user command. ### Testing procedure Without this PR passing negative number to the ```ping -s``` option cause segmentation fault, for example in the ```example/gnrc_networking```: ``` > ping -s -7 ::1 ping -s -7 ::1 Segmentation fault ``` With this PR user shows appropriate warning test: ``` > ping -s -7 ::1 ping -s -7 ::1 ICMPv6 datagram size should be in range <0, 65527>. > ``` ### Issues/PRs references Issue #19829 Co-authored-by: krzysztof-cabaj <kcabaj@gmail.com>
|
Build failed: |
|
bors merge |
|
bors cancel |
|
Canceled. |
|
bors merge |
19927: sys/shell/ping: fix ping packet size overflow r=miri64 a=krzysztof-cabaj ### Contribution description In #19829 `@mchesser` point out integer overflow in the ```ping``` command and API. This PR fix this issue in two ways: 1) Add protection in the API. 2) Add protection in the user command. ### Testing procedure Without this PR passing negative number to the ```ping -s``` option cause segmentation fault, for example in the ```example/gnrc_networking```: ``` > ping -s -7 ::1 ping -s -7 ::1 Segmentation fault ``` With this PR user shows appropriate warning test: ``` > ping -s -7 ::1 ping -s -7 ::1 ICMPv6 datagram size should be in range <0, 65527>. > ``` ### Issues/PRs references Issue #19829 Co-authored-by: krzysztof-cabaj <kcabaj@gmail.com>
|
bors cancel |
|
Canceled. |
github-actions
bot
added
Area: drivers
|
I'm not sure what you did there, but your PR now adds +389,749 new lines of code. Please do a |
sys/shell/cmds/gnrc_icmpv6_echo.c
Outdated
| value = atoi(argv[i]); | ||
|
|
||
| if ((value < 0) || ((unsigned)value > (UINT16_MAX - sizeof(icmpv6_hdr_t)))) { | ||
| printf("ICMPv6 datagram size should be in range 0-65527.\n"); |
There was a problem hiding this comment.
tbh I don't think you need to check that twice. You already have that check in gnrc_icmpv6_echo_send(), no need to pre-check - you can just let gnrc_icmpv6_echo_send() return error.
Sending ICMP messages larger than 65527 bytes is not such a common use-case that we need special handling for it in the shell command.
There was a problem hiding this comment.
There is nothing speaking against pre-checking if you want to have user-friendly error messages, IMHO. At least the value < 0 should stay in any case, since value is int, but len is size_t (so unsigned). Casting could introduce some unexpected values here (especially if size_t is set to uint16_t by the architecture).
There was a problem hiding this comment.
I agree that now I have to checks. The one in the API - protects users which would like send icmp pings in the own code. The second check as @miri64 write gives more user friendly warning. Instead, user when gives wrong size see only cryptic text:
All up, running the shell now
> ping -s -7 ::1
ping -s -7 ::1
error: -22
error: -22
error: -22
--- ::1 PING statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
>
|
A while ago I think that I understand rebase ;) |
github-actions
bot
added
Area: examples
krzysztof-cabaj
force-pushed
the
gnrc_icmp6_overflow
branch
from
de36035 to
838e62c
Compare
|
bors merge |
|
🕐 Waiting for PR status (GitHub check) to be set, probably by CI. Bors will automatically try to run when all required PR statuses are set. |
|
And now everything is corrected (I hope) - I missed one, crucial commit, which save ROM. |
|
bors merge |
|
Build succeeded! The publicly hosted instance of bors-ng is deprecated and will go away soon. If you want to self-host your own instance, instructions are here. If you want to switch to GitHub's built-in merge queue, visit their help page. |
|
Thanks all for support ... and patience ;). |
|
Thank you for your contribution and for fixing this |
Contribution description
In #19829 @mchesser point out integer overflow in the
pingcommand and API. This PR fix this issue in two ways:Testing procedure
Without this PR passing negative number to the
ping -soption cause segmentation fault, for example in theexample/gnrc_networking:With this PR user shows appropriate warning test:
Issues/PRs references
Issue #19829