[Expired for iputils (Ubuntu) because there has been no activity for 60
days.]
** Changed in: iputils (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to iputils in Ubuntu.
https://bugs.launchpad.net/bugs/1551020
Title:
IpUtils Ping can be in wait forever
Status in iputils package in Ubuntu:
Expired
Bug description:
Ping is using round trip time from previous incoming echo response
packet to determine max waittime for next packet, but the validation
of the value read from incoming echo response packet is poor. It only
checks for non-negative values.
To reproduce the Bug:
Step 1: Apply the following diff to the Ping command- (this simulates the
condition that triptime value read from incoming echo response was some
arbitrary large value)-
diff -r iputils/ping_common.c iputils_ping_hang_repro/ping_common.c
709c709,711
< triptime = tv->tv_sec * 1000000 + tv->tv_usec;
---
> /*SNAP: To repro Ping hang, set this value to some large long
value. Since this is read from */
> /* incoming echo reply and not validated for 0 or too
large, this will cause hang/long wait.
> /* triptime = tv->tv_sec * 1000000 + tv->tv_usec; */
> triptime = 1000123456789;
/tmp/diff.out (END)
Step 2: Run the following ping command targeted at a host that is at
first successfully replying to the Ping echo requests, but at some
point during the execution (before the last ping echo request) take
the target offline(to trigger the waittime). This will cause Ping to
set the waittime to tmax which is 2 X the max RTT which we just set to
a very large value.
sudo ./ping -c 10 -i 0.5 $TARGET_IP > /tmp/out.log
AS A RESULT,
1. The Ping will keep running for a few hundred years, no big deal. In
strace there will be a periodic recvmsg to check for response every
few ms, something like this-
Process 11373 attached - interrupt to quit
...
recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily
unavailable)
recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily
unavailable)
recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily
unavailable)
...
2. In the /proc/timer_list file I see a large value for the process' timer-
...
#14: <0000000000000000>, it_real_fn, S:01, hrtimer_start, ping/11373
# expires at 6114335555835413-6114335555835413 nsecs [in 2000179546163581 to
2000179546163581 nsecs]
...
So we can see that when a large timeval is read from the echo
response, it is not validated.
Possible causes for invalid timeval values could be:
Malicious destination, buggy OS, Malformed packets, interference with echo
response belonging to "traceroute" command but had the same ID and Seq No.
Impact-
Ping runs forever.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1551020/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
