[Touch-packages] [Bug 1551020] Re: IpUtils Ping can be in wait forever
Upstream bug: https://github.com/iputils/iputils/pull/67 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iputils in Ubuntu. https://bugs.launchpad.net/bugs/1551020 Title: IpUtils Ping can be in wait forever Status in iputils package in Ubuntu: Expired Bug description: Ping is using round trip time from previous incoming echo response packet to determine max waittime for next packet, but the validation of the value read from incoming echo response packet is poor. It only checks for non-negative values. To reproduce the Bug: Step 1: Apply the following diff to the Ping command- (this simulates the condition that triptime value read from incoming echo response was some arbitrary large value)- diff -r iputils/ping_common.c iputils_ping_hang_repro/ping_common.c 709c709,711 < triptime = tv->tv_sec * 100 + tv->tv_usec; --- > /*SNAP: To repro Ping hang, set this value to some large long value. Since this is read from */ > /* incoming echo reply and not validated for 0 or too large, this will cause hang/long wait. > /* triptime = tv->tv_sec * 100 + tv->tv_usec; */ > triptime = 1000123456789; /tmp/diff.out (END) Step 2: Run the following ping command targeted at a host that is at first successfully replying to the Ping echo requests, but at some point during the execution (before the last ping echo request) take the target offline(to trigger the waittime). This will cause Ping to set the waittime to tmax which is 2 X the max RTT which we just set to a very large value. sudo ./ping -c 10 -i 0.5 $TARGET_IP > /tmp/out.log AS A RESULT, 1. The Ping will keep running for a few hundred years, no big deal. In strace there will be a periodic recvmsg to check for response every few ms, something like this- Process 11373 attached - interrupt to quit ... recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) ... 2. In the /proc/timer_list file I see a large value for the process' timer- ... #14: <>, it_real_fn, S:01, hrtimer_start, ping/11373 # expires at 611433835413-611433835413 nsecs [in 2000179546163581 to 2000179546163581 nsecs] ... So we can see that when a large timeval is read from the echo response, it is not validated. Possible causes for invalid timeval values could be: Malicious destination, buggy OS, Malformed packets, interference with echo response belonging to "traceroute" command but had the same ID and Seq No. Impact- Ping runs forever. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1551020/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1551020] Re: IpUtils Ping can be in wait forever
[Expired for iputils (Ubuntu) because there has been no activity for 60 days.] ** Changed in: iputils (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iputils in Ubuntu. https://bugs.launchpad.net/bugs/1551020 Title: IpUtils Ping can be in wait forever Status in iputils package in Ubuntu: Expired Bug description: Ping is using round trip time from previous incoming echo response packet to determine max waittime for next packet, but the validation of the value read from incoming echo response packet is poor. It only checks for non-negative values. To reproduce the Bug: Step 1: Apply the following diff to the Ping command- (this simulates the condition that triptime value read from incoming echo response was some arbitrary large value)- diff -r iputils/ping_common.c iputils_ping_hang_repro/ping_common.c 709c709,711 < triptime = tv->tv_sec * 100 + tv->tv_usec; --- > /*SNAP: To repro Ping hang, set this value to some large long value. Since this is read from */ > /* incoming echo reply and not validated for 0 or too large, this will cause hang/long wait. > /* triptime = tv->tv_sec * 100 + tv->tv_usec; */ > triptime = 1000123456789; /tmp/diff.out (END) Step 2: Run the following ping command targeted at a host that is at first successfully replying to the Ping echo requests, but at some point during the execution (before the last ping echo request) take the target offline(to trigger the waittime). This will cause Ping to set the waittime to tmax which is 2 X the max RTT which we just set to a very large value. sudo ./ping -c 10 -i 0.5 $TARGET_IP > /tmp/out.log AS A RESULT, 1. The Ping will keep running for a few hundred years, no big deal. In strace there will be a periodic recvmsg to check for response every few ms, something like this- Process 11373 attached - interrupt to quit ... recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) ... 2. In the /proc/timer_list file I see a large value for the process' timer- ... #14: <>, it_real_fn, S:01, hrtimer_start, ping/11373 # expires at 611433835413-611433835413 nsecs [in 2000179546163581 to 2000179546163581 nsecs] ... So we can see that when a large timeval is read from the echo response, it is not validated. Possible causes for invalid timeval values could be: Malicious destination, buggy OS, Malformed packets, interference with echo response belonging to "traceroute" command but had the same ID and Seq No. Impact- Ping runs forever. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1551020/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1551020] Re: IpUtils Ping can be in wait forever
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iputils in Ubuntu. https://bugs.launchpad.net/bugs/1551020 Title: IpUtils Ping can be in wait forever Status in iputils package in Ubuntu: Incomplete Bug description: Ping is using round trip time from previous incoming echo response packet to determine max waittime for next packet, but the validation of the value read from incoming echo response packet is poor. It only checks for non-negative values. To reproduce the Bug: Step 1: Apply the following diff to the Ping command- (this simulates the condition that triptime value read from incoming echo response was some arbitrary large value)- diff -r iputils/ping_common.c iputils_ping_hang_repro/ping_common.c 709c709,711 < triptime = tv->tv_sec * 100 + tv->tv_usec; --- > /*SNAP: To repro Ping hang, set this value to some large long value. Since this is read from */ > /* incoming echo reply and not validated for 0 or too large, this will cause hang/long wait. > /* triptime = tv->tv_sec * 100 + tv->tv_usec; */ > triptime = 1000123456789; /tmp/diff.out (END) Step 2: Run the following ping command targeted at a host that is at first successfully replying to the Ping echo requests, but at some point during the execution (before the last ping echo request) take the target offline(to trigger the waittime). This will cause Ping to set the waittime to tmax which is 2 X the max RTT which we just set to a very large value. sudo ./ping -c 10 -i 0.5 $TARGET_IP > /tmp/out.log AS A RESULT, 1. The Ping will keep running for a few hundred years, no big deal. In strace there will be a periodic recvmsg to check for response every few ms, something like this- Process 11373 attached - interrupt to quit ... recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) recvmsg(3, 0x7ffed06dc650, 0) = -1 EAGAIN (Resource temporarily unavailable) ... 2. In the /proc/timer_list file I see a large value for the process' timer- ... #14: <>, it_real_fn, S:01, hrtimer_start, ping/11373 # expires at 611433835413-611433835413 nsecs [in 2000179546163581 to 2000179546163581 nsecs] ... So we can see that when a large timeval is read from the echo response, it is not validated. Possible causes for invalid timeval values could be: Malicious destination, buggy OS, Malformed packets, interference with echo response belonging to "traceroute" command but had the same ID and Seq No. Impact- Ping runs forever. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1551020/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
