From barney@lab.databus.com  Sun Apr 13 11:20:40 2003
Return-Path: <barney@lab.databus.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D422E37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Apr 2003 11:20:40 -0700 (PDT)
Received: from lab.databus.com (p72-186.acedsl.com [66.114.72.186])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1649F43F75
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Apr 2003 11:20:40 -0700 (PDT)
	(envelope-from barney@lab.databus.com)
Received: from lab.databus.com (localhost [127.0.0.1])
	by lab.databus.com (8.12.9/8.12.9) with ESMTP id h3DIKdnO039110
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Apr 2003 14:20:39 -0400 (EDT)
	(envelope-from barney@lab.databus.com)
Received: (from barney@localhost)
	by lab.databus.com (8.12.9/8.12.9/Submit) id h3DIKdhv039109;
	Sun, 13 Apr 2003 14:20:39 -0400 (EDT)
Message-Id: <200304131820.h3DIKdhv039109@lab.databus.com>
Date: Sun, 13 Apr 2003 14:20:39 -0400 (EDT)
From: User & <barney@lab.databus.com>
Reply-To: User & <barney@lab.databus.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ping checks too much data in return packet
X-Send-Pr-Version: 3.113
X-GNATS-Notify: ru

>Number:         50909
>Category:       bin
>Synopsis:       ping checks too much data in return packet
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 13 11:30:10 PDT 2003
>Closed-Date:    Mon Apr 14 01:35:17 PDT 2003
>Last-Modified:  Mon Apr 14 01:35:17 PDT 2003
>Originator:     Barney Wolff
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Databus Inc.
>Environment:
System: FreeBSD lab.databus.com 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Fri Apr 11 18:00:56 EDT 2003 toor@lab.databus.com:/usr/obj/usr/src/sys/LAB i386


	
>Description:
	ping checks the data in the returned packet, expecting it to be equal
	to the data in the packet sent.  But it starts the check too early,
	checking the timestamp.  If the returned packet comes back after the
	next packet has already been sent (ie, in the default case, after 1 sec)
	the check will fail.  ping should check only the constant data, which
	starts after the timestamp.

	I'd also point out that the cc != 0 check is bad style, if probably
	not dangerous in this case.  cc > 0 protects against off-by-one errors.
	cc-- is also bad style.
>How-To-Repeat:
	ping anywhere with rtt over 1 sec.
>Fix:

Index: ping.c
===================================================================
RCS file: /home/ncvs/src/sbin/ping/ping.c,v
retrieving revision 1.95
diff -u -r1.95 ping.c
--- ping.c	7 Apr 2003 12:05:50 -0000	1.95
+++ ping.c	13 Apr 2003 18:07:02 -0000
@@ -1012,8 +1012,14 @@
 			cp = (u_char*)&icp->icmp_data[phdr_len];
 			dp = &outpack[MINICMPLEN + phdr_len];
 			cc -= ICMP_MINLEN + phdr_len;
-			for (i = phdr_len; i < datalen && cc != 0;
-			     ++i, ++cp, ++dp, cc--) {
+			i = phdr_len;
+			if (timing) {	/* don't check variable timestamp */
+				cp += TIMEVAL_LEN;
+				dp += TIMEVAL_LEN;
+				cc -= TIMEVAL_LEN;
+				i  += TIMEVAL_LEN;
+			}
+			for ( ; i < datalen && cc > 0; ++i, ++cp, ++dp, --cc) {
 				if (*cp != *dp) {
 	(void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x",
 	    i, *dp, *cp);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: ru 
Responsible-Changed-When: Sun Apr 13 11:43:31 PDT 2003 
Responsible-Changed-Why:  
Maxim, seems the problem was introduced in rev. 1.90. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50909 

From: Maxim Konovalov <maxim@macomnet.ru>
To: User & <barney@lab.databus.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/50909: ping checks too much data in return packet
Date: Sun, 13 Apr 2003 23:34:08 +0400 (MSD)

 > Index: ping.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sbin/ping/ping.c,v
 > retrieving revision 1.95
 > diff -u -r1.95 ping.c
 > --- ping.c	7 Apr 2003 12:05:50 -0000	1.95
 > +++ ping.c	13 Apr 2003 18:07:02 -0000
 > @@ -1012,8 +1012,14 @@
 >  			cp = (u_char*)&icp->icmp_data[phdr_len];
 >  			dp = &outpack[MINICMPLEN + phdr_len];
 >  			cc -= ICMP_MINLEN + phdr_len;
 > -			for (i = phdr_len; i < datalen && cc != 0;
 > -			     ++i, ++cp, ++dp, cc--) {
 > +			i = phdr_len;
 
 It should be
 			i = 0;
 shouldn't it?
 
 > +			if (timing) {	/* don't check variable timestamp */
 > +				cp += TIMEVAL_LEN;
 > +				dp += TIMEVAL_LEN;
 > +				cc -= TIMEVAL_LEN;
 > +				i  += TIMEVAL_LEN;
 > +			}
 > +			for ( ; i < datalen && cc > 0; ++i, ++cp, ++dp, --cc) {
 >  				if (*cp != *dp) {
 >  	(void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x",
 >  	    i, *dp, *cp);
 
 -- 
 Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org

From: Barney Wolff <barney@pit.databus.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/50909: ping checks too much data in return packet
Date: Sun, 13 Apr 2003 17:26:28 -0400

 On Sun, Apr 13, 2003 at 11:34:08PM +0400, Maxim Konovalov wrote:
 > > Index: ping.c
 > > ===================================================================
 > > RCS file: /home/ncvs/src/sbin/ping/ping.c,v
 > > retrieving revision 1.95
 > > diff -u -r1.95 ping.c
 > > --- ping.c	7 Apr 2003 12:05:50 -0000	1.95
 > > +++ ping.c	13 Apr 2003 18:07:02 -0000
 > > @@ -1012,8 +1012,14 @@
 > >  			cp = (u_char*)&icp->icmp_data[phdr_len];
 > >  			dp = &outpack[MINICMPLEN + phdr_len];
 > >  			cc -= ICMP_MINLEN + phdr_len;
 > > -			for (i = phdr_len; i < datalen && cc != 0;
 > > -			     ++i, ++cp, ++dp, cc--) {
 > > +			i = phdr_len;
 > 
 > It should be
 > 			i = 0;
 > shouldn't it?
 
 phdr_len is 0 in the normal echo-request case.
 
 -- 
 Barney Wolff         http://www.databus.com/bwresume.pdf
 I'm available by contract or FT, in the NYC metro area or via the 'Net.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Barney Wolff <barney@pit.databus.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/50909: ping checks too much data in return packet
Date: Mon, 14 Apr 2003 07:43:50 +0400 (MSD)

 On 17:26-0400, Apr 13, 2003, Barney Wolff wrote:
 
 > On Sun, Apr 13, 2003 at 11:34:08PM +0400, Maxim Konovalov wrote:
 > > > Index: ping.c
 > > > ===================================================================
 > > > RCS file: /home/ncvs/src/sbin/ping/ping.c,v
 > > > retrieving revision 1.95
 > > > diff -u -r1.95 ping.c
 > > > --- ping.c	7 Apr 2003 12:05:50 -0000	1.95
 > > > +++ ping.c	13 Apr 2003 18:07:02 -0000
 > > > @@ -1012,8 +1012,14 @@
 > > >  			cp = (u_char*)&icp->icmp_data[phdr_len];
 > > >  			dp = &outpack[MINICMPLEN + phdr_len];
 > > >  			cc -= ICMP_MINLEN + phdr_len;
 > > > -			for (i = phdr_len; i < datalen && cc != 0;
 > > > -			     ++i, ++cp, ++dp, cc--) {
 > > > +			i = phdr_len;
 > >
 > > It should be
 > > 			i = 0;
 > > shouldn't it?
 >
 > phdr_len is 0 in the normal echo-request case.
 
 and it isn't in MASKREQ and TSTAMP ones.
 
 -- 
 Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org

From: Barney Wolff <barney@pit.databus.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/50909: ping checks too much data in return packet
Date: Mon, 14 Apr 2003 00:26:29 -0400

 On Mon, Apr 14, 2003 at 07:43:50AM +0400, Maxim Konovalov wrote:
 > On 17:26-0400, Apr 13, 2003, Barney Wolff wrote:
 > 
 > > On Sun, Apr 13, 2003 at 11:34:08PM +0400, Maxim Konovalov wrote:
 > > > > Index: ping.c
 > > > > ===================================================================
 > > > > RCS file: /home/ncvs/src/sbin/ping/ping.c,v
 > > > > retrieving revision 1.95
 > > > > diff -u -r1.95 ping.c
 > > > > --- ping.c	7 Apr 2003 12:05:50 -0000	1.95
 > > > > +++ ping.c	13 Apr 2003 18:07:02 -0000
 > > > > @@ -1012,8 +1012,14 @@
 > > > >  			cp = (u_char*)&icp->icmp_data[phdr_len];
 > > > >  			dp = &outpack[MINICMPLEN + phdr_len];
 > > > >  			cc -= ICMP_MINLEN + phdr_len;
 > > > > -			for (i = phdr_len; i < datalen && cc != 0;
 > > > > -			     ++i, ++cp, ++dp, cc--) {
 > > > > +			i = phdr_len;
 > > >
 > > > It should be
 > > > 			i = 0;
 > > > shouldn't it?
 > >
 > > phdr_len is 0 in the normal echo-request case.
 > 
 > and it isn't in MASKREQ and TSTAMP ones.
 
 Yes, and I think that's appropriate.  The data to be checked is the filler
 that follows the timestamp.  If the header part is longer, the check
 should start further into the packet.  Just for laughs, I put in a test
 that the first filler byte is 08 and ran ping -M time.  Test passed.
 
 -- 
 Barney Wolff         http://www.databus.com/bwresume.pdf
 I'm available by contract or FT, in the NYC metro area or via the 'Net.
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Apr 14 01:34:24 PDT 2003 
State-Changed-Why:  
Fixed in rev. 1.96 src/sbin/ping/ping.c, thank you! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50909 
>Unformatted:
