blob: ad8c048286909b8993abf7fcf2fb51ba0889bdda (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
From d7ffe9ddf524b0ff13088b2685bd9cfde5e580f5 Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <gnu@gisladisker.se>
Date: Thu, 17 Jan 2013 10:34:55 +0100
Subject: [PATCH] ping: CVE-2010-2529
CVE-2010-2529: Infinite loop.
* ping/ping_echo.c (print_ip_opt) <IPOPT_RR>: Break loop
if option is truncated or exhausted.
---
diff --git a/ping/ping_echo.c b/ping/ping_echo.c
index 634e178..e83ccff 100644
--- a/ping/ping_echo.c
+++ b/ping/ping_echo.c
@@ -499,7 +499,7 @@ print_ip_opt (struct ip *ip, int hlen)
i = j;
i -= IPOPT_MINOFF;
if (i <= 0)
- continue;
+ break;
if (i == old_rrlen
&& cp == (unsigned char *) (ip + 1) + 2
&& !memcmp ((char *) cp, old_rr, i) && !(options & OPT_FLOOD))
--
1.8.1.1
|
