check_icmp: Reject more than 65535 target hosts

The number of -H hosts is counted into an unsigned short, so supplying
more than 65535 hosts wraps the counter.  The subsequent calloc(3) then
allocates an undersized hosts array while the later parsing loop still
writes one entry per host, overflowing the heap buffer.  As
process_arguments() runs before we drop privileges via setuid(getuid()),
this happens while still running as root on setuid-root installs.

Guard both places where the counter is incremented and bail out with a
usage error once 65535 hosts are reached, rather than wrapping silently.

Reported-by: Christopher Kreft <Email@ChristopherKreft.de>
This commit is contained in:
Holger Weiss 2026-06-30 15:32:40 +02:00
parent 1c84da06be
commit c35c12e58d

View file

@ -361,6 +361,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) {
enforced_ai_family = AF_INET6;
break;
case 'H': {
if (result.config.number_of_hosts == USHRT_MAX) {
usage_va("Number of specified hosts exceeds %u", USHRT_MAX);
}
result.config.number_of_hosts++;
break;
}
@ -378,6 +381,9 @@ check_icmp_config_wrapper process_arguments(int argc, char **argv) {
char **tmp = &argv[optind];
while (*tmp) {
if (result.config.number_of_hosts == USHRT_MAX) {
usage_va("Number of specified hosts exceeds %u", USHRT_MAX);
}
result.config.number_of_hosts++;
tmp++;
}