From proff@profane.iq.org  Sat Jan 25 10:21:51 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA11314;
          Sat, 25 Jan 1997 10:21:47 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id FAA13734;
          Sun, 26 Jan 1997 05:22:16 +1100 (EST)
Message-Id: <199701251822.FAA13734@profane.iq.org>
Date: Sun, 26 Jan 1997 05:22:16 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: eliminate possible passive attack against ping(1)
X-Send-Pr-Version: 3.2

>Number:         2584
>Category:       bin
>Synopsis:       eliminate possible passive attack against ping(1)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    wollman
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 10:30:02 PST 1997
>Closed-Date:    Sat Mar 1 12:19:31 PST 1997
>Last-Modified:  Sat Mar  1 13:00:03 PST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:


	

>How-To-Repeat:

	

>Fix:
	
	


--- src/sbin/ping/ping.c.orig	Sun Jan 26 05:12:34 1997
+++ src/sbin/ping/ping.c	Sun Jan 26 05:13:24 1997
@@ -305,7 +305,7 @@
 			exit(1);
 		}
 		to->sin_family = hp->h_addrtype;
-		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, MIN(hp->h_length, sizeof to->sin_addr));
 		(void)strncpy(hnamebuf, hp->h_name, sizeof(hnamebuf) - 1);
 		hostname = hnamebuf;
 	}
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:14:01 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 

From: Warner Losh <imp@village.org>
To: freebsd-gnats-submit@freebsd.org, proff@iq.org
Cc:  Subject: Re: bin/2584: eliminate possible passive attack against ping(1)
Date: Thu, 13 Feb 1997 08:35:25 -0700

 If you can't trust your resolver, then you are likely going to have a
 lot of problems all over the system.
 
 This attack requires there to be a bug in the resolver in order to even
 have a chance of succeeding.  If that were the case, better to fix the
 resolver than to fix all places in the source tree where it returns
 data.
Responsible-Changed-From-To: freebsd-bugs->wollman 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Feb 22 22:07:05 PST 1997 
Responsible-Changed-Why:  
Garrett, will you evaulate this and determine if it should 
be considered a problem? 

From: Garrett Wollman <wollman@lcs.mit.edu>
To: Mike Pritchard <mpp@freefall.freebsd.org>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/2584
Date: Mon, 24 Feb 1997 10:18:15 -0500

 <<On Sun, 23 Feb 1997 10:57:37 -0800 (PST), Mike Pritchard <mpp@freefall.freebsd.org> said:
 
 > I would like you input on PR# 2584, however.  From some of the comments
 > in the audit trail, it seems like this is a non-problem, but I'm
 > not so sure.  E.g. How easy is it to spoof a resolver?
 
 > -		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, hp->h_length);
 > +		bcopy(hp->h_addr, (caddr_t)&to->sin_addr, MIN(hp->h_length, sizeof to->sin_addr));
 
 Neither alternative is correct.  This should be written:
 
 	memcpy(&to->sin_addr, hp->h_addr_list[0], sizeof to->sin_addr);
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Sat Mar 1 12:19:31 PST 1997 
State-Changed-Why:  
This was not a problem in ping.c rev 1.16, and it is even more 
not a problem in rev. 1.17. 

From: Bill Fenner <fenner@parc.xerox.com>
To: freebsd-gnats-submit@freebsd.org, mpp@freebsd.org
Cc: freebsd-bugs@freebsd.org
Subject: Re: bin/2584
Date: Sat, 1 Mar 1997 12:52:18 PST

 Actually, I think I prefer
 
 	if (hp && hp->h_length == sizeof to->sin_addr) {
 		do DNS lookup succeeded stuff
 	} else {
 		do DNS lookup failed stuff
 	}
 
 since if you got back a response longer than you expect and you copy
 the first 4 bytes, you're likely to just have junk.  I'd rather it say
 "host not found" than "trying 58.16.99.128".
 
   Bill
>Unformatted:
