A fairly rare possible buffer overflow:

	Theo fixed this and tqbf reported it
Obtained from: OpenBSD

1 files changed, 13 insertions, 4 deletions

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index f98123d..c1f558e 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -45,7 +45,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)ping.c	8.1 (Berkeley) 6/5/93";
 */
 static const char rcsid[] =
-	"$Id: ping.c,v 1.28 1997/08/11 04:33:07 fenner Exp $";
+	"$Id: ping.c,v 1.29 1997/12/24 00:59:02 imp Exp $";
 #endif /* not lint */
 
 /*
@@ -261,7 +261,6 @@ main(argc, argv)
 				errno = EPERM;
 				err(EX_NOPERM, "-l flag");
 			}
-			options |= F_FLOOD;
 			preload = ultmp;
 			break;
 		case 'L':
@@ -787,9 +786,14 @@ pr_pack(buf, cc, from)
 				cp += i;
 				break;
 			}
-			old_rrlen = i;
-			bcopy((char *)cp, old_rr, i);
+			if (i < MAXIPOPTLEN) {
+				old_rrlen = i;
+				bcopy((char *)cp, old_rr, i);
+			} else
+				old_rrlen = 0;
+
 			(void)printf("\nRR: ");
+			j = 0;
 			for (;;) {
 				l = *++cp;
 				l = (l<<8) + *++cp;
@@ -804,8 +808,13 @@ pr_pack(buf, cc, from)
 				}
 				hlen -= 4;
 				i -= 4;
+				j += 4;
 				if (i <= 0)
 					break;
+				if (j >= MAX_IPOPTLEN) {
+					(void) printf("\t(truncated route)");
+					break;
+				}
 				(void)putchar('\n');
 			}
 			break;