diff options
| author | Holger Weiss <holger@zedat.fu-berlin.de> | 2026-06-30 16:20:12 +0200 |
|---|---|---|
| committer | Holger Weiss <holger@zedat.fu-berlin.de> | 2026-06-30 16:20:12 +0200 |
| commit | f732906649f8b6a5ee5636ece10d19e4519b790b (patch) | |
| tree | 9b54a22ac5bc32668c1cc7dbe2f4fbcfcb9fcf20 | |
| parent | a675995b19a6315f1b033a7c1ca980b5fbdc408d (diff) | |
| download | monitoring-plugins-f732906649f8b6a5ee5636ece10d19e4519b790b.tar.gz | |
check_icmp: Reject negative ICMP data length
The -b/--size handler checks the lower bound after casting the value to
unsigned long while checking the upper bound as a signed comparison. A
negative argument such as "-b -65536" therefore satisfies both checks.
The value is then truncated to an undersized icmp_data_size, which later
serves as the size of the ICMP send buffer, so building the packet
overflows that buffer.
Compare the size as a signed long against both bounds so negative values
are rejected.
Reported-by: Christopher Kreft <Email@ChristopherKreft.de>
| -rw-r--r-- | plugins-root/check_icmp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c index 8f5c1fe4..14e63c89 100644 --- a/plugins-root/check_icmp.c +++ b/plugins-root/check_icmp.c | |||
| @@ -411,7 +411,7 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) { | |||
| 411 | switch (arg) { | 411 | switch (arg) { |
| 412 | case 'b': { | 412 | case 'b': { |
| 413 | long size = strtol(optarg, NULL, 0); | 413 | long size = strtol(optarg, NULL, 0); |
| 414 | if ((unsigned long)size >= (sizeof(struct icmp) + sizeof(struct icmp_ping_data)) && | 414 | if (size >= (long)(sizeof(struct icmp) + sizeof(struct icmp_ping_data)) && |
| 415 | size < MAX_PING_DATA) { | 415 | size < MAX_PING_DATA) { |
| 416 | result.config.icmp_data_size = (unsigned short)size; | 416 | result.config.icmp_data_size = (unsigned short)size; |
| 417 | } else { | 417 | } else { |
