summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Weiss <holger@zedat.fu-berlin.de>2026-06-30 16:20:12 +0200
committerHolger Weiss <holger@zedat.fu-berlin.de>2026-06-30 16:20:12 +0200
commitf732906649f8b6a5ee5636ece10d19e4519b790b (patch)
tree9b54a22ac5bc32668c1cc7dbe2f4fbcfcb9fcf20
parenta675995b19a6315f1b033a7c1ca980b5fbdc408d (diff)
downloadmonitoring-plugins-f732906649f8b6a5ee5636ece10d19e4519b790b.tar.gz
check_icmp: Reject negative ICMP data length
The -b/--size handler checks the lower bound after casting the value to unsigned long while checking the upper bound as a signed comparison. A negative argument such as "-b -65536" therefore satisfies both checks. The value is then truncated to an undersized icmp_data_size, which later serves as the size of the ICMP send buffer, so building the packet overflows that buffer. Compare the size as a signed long against both bounds so negative values are rejected. Reported-by: Christopher Kreft <Email@ChristopherKreft.de>
-rw-r--r--plugins-root/check_icmp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index 8f5c1fe4..14e63c89 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -411,7 +411,7 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) {
411 switch (arg) { 411 switch (arg) {
412 case 'b': { 412 case 'b': {
413 long size = strtol(optarg, NULL, 0); 413 long size = strtol(optarg, NULL, 0);
414 if ((unsigned long)size >= (sizeof(struct icmp) + sizeof(struct icmp_ping_data)) && 414 if (size >= (long)(sizeof(struct icmp) + sizeof(struct icmp_ping_data)) &&
415 size < MAX_PING_DATA) { 415 size < MAX_PING_DATA) {
416 result.config.icmp_data_size = (unsigned short)size; 416 result.config.icmp_data_size = (unsigned short)size;
417 } else { 417 } else {