1. Allocate the max packet size before accounting for phdrlen, harmless.

2. In the clear-route-cache sendto, don't send 0 bytes (if -s was specified with < 8, phdrlen would be 0). 3. Always send ICMP_MINLEN packets; this is what everyone else does. Makes ping -s n where n < 8 work. 4. The condition for checking the data bytes was completely wrong. only check the data bytes if we got all of them. 5. The condition for printing a newline was wrong; before it would not print a newline before printing the data bytes, and it would append to the previous error message.
2012-12-30 02:41:11 +00:00 · 2012-12-30 02:41:11 +00:00 · 0ec9e614e3
parent 0be3040a8f
commit 0ec9e614e3
1 changed files with 8 additions and 7 deletions
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ping.c,v 1.103 2012/09/18 04:07:44 msaitoh Exp $	*/
+/*	$NetBSD: ping.c,v 1.104 2012/12/30 02:41:11 christos Exp $	*/

 /*
 * Copyright (c) 1989, 1993
@ -58,7 +58,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ping.c,v 1.103 2012/09/18 04:07:44 msaitoh Exp $");
+__RCSID("$NetBSD: ping.c,v 1.104 2012/12/30 02:41:11 christos Exp $");
 #endif

 #include <stdio.h>
@ -467,8 +467,8 @@ main(int argc, char *argv[])
 		phdrlen = PHDR_LEN;
 	} else
 		phdrlen = 0;
-	datalen -= phdrlen;

+	datalen -= phdrlen;
 	packlen = datalen + 60 + 76;	/* MAXIP + MAXICMP */
 	if ((packet = malloc(packlen)) == NULL)
 		err(1, "Out of memory");
@ -857,7 +857,7 @@ pinger(void)
 			       (char *)&sw,sizeof(sw)) < 0)
 			err(1, "Can't turn off special IP header");
 		if (prog_sendto(sloop, (char *) &opack_icmp,
-			   phdrlen, MSG_DONTROUTE,
+			   ICMP_MINLEN, MSG_DONTROUTE,
 			   (struct sockaddr *)&loc_addr,
 			   sizeof(struct sockaddr_in)) < 0) {
 			/*
@ -887,7 +887,7 @@ pinger(void)
 	} else if (pingflags & F_TIMING64)
 		(void) memcpy(&opack_icmp.icmp_data[0], &now, sizeof(now));

-	cc = datalen + phdrlen;
+	cc = MAX(datalen, ICMP_MINLEN) + phdrlen;
 	opack_icmp.icmp_cksum = 0;
 	opack_icmp.icmp_cksum = in_cksum((u_int16_t *)&opack_icmp, cc);

@ -1096,7 +1096,8 @@ pr_pack(u_char *buf,
 			PR_PACK_SUB();

 		/* check the data */
-		if (datalen > phdrlen
+		if ((size_t)(tot_len - hlen) >
+		    offsetof(struct icmp, icmp_data) + datalen
 		    && !(pingflags & F_PING_RANDOM)
 		    && memcmp(icp->icmp_data + phdrlen,
 			    opack_icmp.icmp_data + phdrlen,
@ -1112,7 +1113,7 @@ pr_pack(u_char *buf,
 				     (u_char)opack_icmp.icmp_data[i],
 				     (u_char)icp->icmp_data[i]);
 			for (i = phdrlen; i < datalen; i++) {
-				if ((i % 16) == phdrlen)
+				if ((i % 16) == 0)
 					(void)printf("\n\t");
 				(void)printf("%2x ",(u_char)icp->icmp_data[i]);
 			}