[Bug 1551020] Re: IpUtils Ping can be in wait forever

Andreas Hasenack 1551020 at bugs.launchpad.net
Wed Sep 14 12:54:37 UTC 2022 

Upstream bug: https://github.com/iputils/iputils/pull/67

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to iputils in Ubuntu.
https://bugs.launchpad.net/bugs/1551020

Title:
  IpUtils Ping can be in wait forever

Status in iputils package in Ubuntu:
  Expired

Bug description:
  Ping is using round trip time from previous incoming echo response
  packet to determine max waittime for next packet, but the validation
  of the value read from incoming echo response packet is poor. It only
  checks for non-negative values.

  To reproduce the Bug: 
  Step 1: Apply the following diff to the Ping command- (this simulates the condition that triptime value read from incoming echo response was some arbitrary large value)-
  diff -r iputils/ping_common.c iputils_ping_hang_repro/ping_common.c
  709c709,711
  <               triptime = tv->tv_sec * 1000000 + tv->tv_usec;
  ---
  >               /*SNAP: To repro Ping hang, set this value to some large long value. Since this is read from */
  >               /*      incoming echo reply and not validated for 0 or too large, this will cause hang/long wait.
  >               /* triptime = tv->tv_sec * 1000000 + tv->tv_usec; */
  >               triptime = 1000123456789;
  /tmp/diff.out (END)

  Step 2: Run the following ping command targeted at a host that is at
  first successfully replying to the Ping echo requests, but at some
  point during the execution (before the last ping echo request) take
  the target offline(to trigger the waittime).  This will cause Ping to
  set the waittime to tmax which is 2 X the max RTT which we just set to
  a very large value.

  sudo ./ping -c 10 -i 0.5 $TARGET_IP > /tmp/out.log

  
  AS A RESULT,

  1. The Ping will keep running for a few hundred years, no big deal. In
  strace there will be a periodic recvmsg to check for response every
  few ms, something like this-

  Process 11373 attached - interrupt to quit
  ...
  recvmsg(3, 0x7ffed06dc650, 0)           = -1 EAGAIN (Resource temporarily unavailable)
  recvmsg(3, 0x7ffed06dc650, 0)           = -1 EAGAIN (Resource temporarily unavailable)
  recvmsg(3, 0x7ffed06dc650, 0)           = -1 EAGAIN (Resource temporarily unavailable)
  ...

  2. In the /proc/timer_list file I see a large value for the process' timer-
  ...
   #14: <0000000000000000>, it_real_fn, S:01, hrtimer_start, ping/11373
   # expires at 6114335555835413-6114335555835413 nsecs [in 2000179546163581 to 2000179546163581 nsecs]
  ...

  So we can see that when a large timeval is read from the echo
  response, it is not validated.

  Possible causes for invalid timeval values could be:
  Malicious destination, buggy OS, Malformed packets, interference with echo response belonging to "traceroute" command but had the same ID and Seq No.

  Impact-
  Ping runs forever.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1551020/+subscriptions

More information about the foundations-bugs mailing list