> You can reproduce with ping -s 0 host (it crashes if the packet size
> is less than 24).
>
> ===================================================================
> RCS file: /cvs/src/sbin/ping/ping.c,v
> retrieving revision 1.123
> diff -u -p -r1.123 ping.c
> --- ping.c 2 May 2015 18:03:37 -0000 1.123
> +++ ping.c 5 Aug 2015 08:40:22 -0000
> @@ -803,7 +803,7 @@ pr_pack(char *buf, int cc, struct sockad
> (void)printf(" (TRUNC!)");
> cp = (u_char *)&icp->icmp_data[sizeof(struct payload)];
> dp = &outpack[8 + sizeof(struct payload)];
> - if (!(options & F_PINGFILLED)) {
> + if (!(options & F_PINGFILLED) && datalen >
> sizeof(payload)) {
> chacha_ivsetup(&fill_stream, payload.mac);
> chacha_encrypt_bytes(&fill_stream, dp, dp,
> datalen - sizeof(payload));
>
Seems it should be >= sizeof(payload), also in the other place.
Index: ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.123
diff -u -p -u -r1.123 ping.c
--- ping.c 2 May 2015 18:03:37 -0000 1.123
+++ ping.c 5 Aug 2015 12:40:51 -0000
@@ -651,7 +651,7 @@ pinger(void)
memcpy(&outpack[8], &payload, sizeof(payload));
- if (!(options & F_PINGFILLED) && datalen > sizeof(payload)) {
+ if (!(options & F_PINGFILLED) && datalen >= sizeof(payload)) {
u_int8_t *dp = &outpack[8 + sizeof(payload)];
chacha_ivsetup(&fill_stream, payload.mac);
@@ -803,7 +803,7 @@ pr_pack(char *buf, int cc, struct sockad
(void)printf(" (TRUNC!)");
cp = (u_char *)&icp->icmp_data[sizeof(struct payload)];
dp = &outpack[8 + sizeof(struct payload)];
- if (!(options & F_PINGFILLED)) {
+ if (!(options & F_PINGFILLED) && datalen >=
sizeof(payload)) {
chacha_ivsetup(&fill_stream, payload.mac);
chacha_encrypt_bytes(&fill_stream, dp, dp,
datalen - sizeof(payload));
