Remove copyright strings ifdef'd out

We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals. These copyright strings are present in the comments and
are largely from CSRG's attempt at adding their copyright to every
binary file (which modern interpretations of the license doesn't
require).

Sponsored by: Netflix

sbin: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

ping: pr_iph() improvements

Very early on, the Src/Dst IP addresses were printed in hex notation
(%08x), which will always be 8-characters wide. It was later changed to
use a dot-decimal notation. Depending on the IP address length, the Src
and Dst headers may require a different padding. Use the source and
destination IP lengths as padding for the headers.

Also, print an Opts (options) header, if there are options present. It
has been abbreviated to Opts to match the length of the previous Data
header, removed in ef9e6dc7eebe9830511602904d3ef5218d964080.

Print the header info such that no trailing spaces are produced. As
some git workflows may automatically trim them, and make the tests fail
(see 25b86f8559c2e7076daff56933217e95cd4398d4).

Before

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 f 00 007c 0001 0 0000 40 01 d868 192.0.2.1 192.0.2.2␣

After

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 f 00 007c 0001 0 0000 40 01 d868 192.0.2.1 192.0.2.2

And with options:

Before

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 f 00 007c 0001 0 0000 40 01 d868 192.0.2.1 192.0.2.2 01...

After

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst Opts
4 f 00 007c 0001 0 0000 40 01 d868 192.0.2.1 192.0.2.2 01...

Reviewed by: markj
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D39561

ping: Fix the spacing between the time stamp and cp/dp

When an echo reply packet is received, the data is compared with the
sent data. When a wrong byte is detected the command displays a report
with the differences.

The first row (the first 8-bytes of data after the ICMP header) should
include the time stamp (if data is at least 8-bytes), this value is not
taken into consideration for the comparison. The remaining rows
represent the data (padded pattern) received/sent, with each byte being
compared for differences.

Print the space before (not after), to add an extra space after cp:/dp:
for better readability when the first time stamp octet is not
zero-padded, and to remove trailing spaces in the output.

Before:
cp:99 0 0 c 1 5 c 0␣
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd␣
...

After:
cp: 99 0 0 c 1 5 c 0
ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd
...

Reviewed by: markj
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D39492

ping: Unify ping/ping6 statistics section

This is a first step towards a unification/simplification of ping/ping6
(internally). The end goal is to produce a standardized user-facing
output.

Before (ping6):

PING6(56=40+8+8 bytes) 2001:db8::1 --> 2001:db8::2
16 bytes from ::1, icmp_seq=0 hlim=64 time=0.168 ms
16 bytes from ::1, icmp_seq=1 hlim=64 time=0.068 ms

--- 2001:db8::2 ping6 statistics ---
round-trip min/avg/max/std-dev = 0.068/0.118/0.168/0.050 ms

After (ping6):

PING(56=40+8+8 bytes) 2001:db8::1 --> 2001:db8::2
16 bytes from ::1, icmp_seq=0 hlim=64 time=0.168 ms
16 bytes from ::1, icmp_seq=1 hlim=64 time=0.068 ms

--- 2001:db8::2 ping statistics ---
round-trip min/avg/max/stddev = 0.068/0.118/0.168/0.050 ms

This has the nice side-effect of adding units to SIGINFO's statistics,
as printing numbers without units may not be of much help. Also
mentions the fact that these times are round-trip.

Before (ping/ping6 SIGINFO):

2/2 packets received (100.0%) 0.068 min / 0.118 avg / 0.168 max

After (ping/ping6 SIGINFO):

--- <ipv4/ipv6 address> ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.068/0.118/0.168/0.050 ms

In the case of a SIGINFO, the output will be printed to stderr, for both
ping and ping6.

Reviewed by: markj
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D39126

ping: Specify the sigaction(2) name

After a2a008880568eaeb87d8404b39627b83df851f34, specify the signal name.

Obtained from: Darwin
MFC after: 1 week
Reviewed by: asomers
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D38484

ping: Remove an extra new line character

This matches the behavior when an RR truncated route is printed.

Reviewed by: markj
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D39485

ping: Avoid reporting NaNs

Avoid calculating the square root of negative zero, which can easily
happen on certain architectures when calculating the population standard
deviation with a sample size of one, e.g., 0.01 - (0.1 * 0.1) =
-0.000000.

Avoid returning a NaN by capping the minimum possible variance value to
zero (positive).

In the future, maybe skip reporting statistics at all for a single
sample.

Reported by: Jenkins
Reviewed by: asomers
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/863
Differential Revision: https://reviews.freebsd.org/D42114

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

ping: Fix an uninitialized variable

The variable oicmp, which holds the original ("quoted packet") ICMP
packet in a structured way, did not have a copy of the original ICMP
packet obtained from the raw data.

The code was accidentally removed in 20b41303140e. Bring it back.

Reported by: Coverity Scan, cy
Reviewed by: cy
CID: 1506960 (UNINIT)
Fixes: 20b41303140eee4dfb896558fb83600c5f013d39
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39233

ping: Avoid reporting negative time statistics

Display a warning when the time goes back.

PR: 192417
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D38480

ping: Remove pr_retip()

Ping used to provide some sort of packet sniffing capabilities, this was
in an era where hubs were used and tcpdump wasn't invented.

pr_iph() is a function that prints the IP header of the packet.

pr_retip() is essentially a wrapper function to pr_iph(), that also
displays the source and destination ports of a TCP or UDP packet.

After ef9e6dc7eebe9830511602904d3ef5218d964080 some of this
functionality was almost removed, to only display packets sent by us
(26+ years ago).

At this point, reaching this code path was only possible by doctoring
the original packet.

After 46d7b45a267b3d78c5054b210ff7b6c55bfca42b this code path can never
be reached.

Remove the code.

Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D38475

ping: Print the IP options of the original packet

When an ICMP packet contains an IP packet in its payload, and that
original IP packet contains options, these options were not displayed
accordingly in pr_iph().

pr_iph() is a function that prints the original "quoted packet" IP
header, with only an IP struct as an argument. The IP struct does not
contain IP options, and it is not guaranteed that the options will be
contiguous in memory to the IP struct after
d9cacf605e2ac0f704e1ce76357cbfbe6cb63d52.

Pass the raw ICMP data along with the IP struct, in order to print the
options, if any.

Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D38469

ping: Avoid magic numbers

The sizeof(struct ip) is 20.
The sizeof(struct in_addr) is 4.

No functional change intended.

Reviewed by: asomers, markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D39125

ping: Remove ifndef icmp_data guards

Early versions of <netinet/ip_icmp.h> [1] did not have icmp_data
defined, but FreeBSD has always had. Remove these guards.

NetBSD [2] and OpenBSD [3] have already removed them.

[1]: https://www.tuhs.org/cgi-bin/utree.pl?file=4.2BSD/usr/src/sys/netinet/ip_icmp.h
[2]: https://github.com/NetBSD/src/commit/203dfd34867991fd002f747d74a96f26ae80d41c
[3]: https://github.com/openbsd/src/commit/d83449c83c03b86e72d642dc92bcea434310435a

Reviewed by: markj
MFC after: 1 week

ping: Fix the display of Flags/Fragment Offset

In the IP header, Flags + Fragment Offset is a 16-bit field.

Use ntohs() instead of ntohl(), otherwise the Flags/Fragment Offset
values may not display correctly.

Before (DF set)

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 0001 0 0000 40 01 b6a4 192.0.2.1 192.0.2.2

After (DF set)

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 0001 2 0000 40 01 b6a4 192.0.2.1 192.0.2.2

Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D38479

ping: Fix unsigned integer underflow resuling in a ping -R segfault

ping -R (F_RROUTE) will loop at ping.c:1381 until it segfaults or
the unsigned int hlen happens to be less than the size of an IP header:

slippy$ ping -R 192.168.0.101
PING 192.168.0.101 (192.168.0.101): 56 data bytes
64 bytes from 192.168.0.101: icmp_seq=0 ttl=63 time=1.081 ms
RR: 192.168.0.1
192.168.0.101
192.168.0.101
10.1.1.254
10.1.1.91
unknown option bb
unknown option 32
unknown option 6
...
unknown option 96
unknown option 2d
Segmentation fault

The reason for this is while looping through loose source routing (LSRR)
and strict source routing (SSRR), hlen will become smaller than the IP
header. It may even become negative. This should terminate the loop.
However, when hlen is unsigned, an integer underflow occurs becoming a
large number causing the loop to continue virtually forever until hlen
is either by chance smaller than the lenghth of an IP header or it
segfaults.

Reviewed by: asomers
Fixes: 46d7b45a267b
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D38744

ping: Fix handling of IP packet sizes

Ping reads raw IP packets to parse ICMP responses. When reading the
IP Header Len (IHL) ping was was taking the value from the provided
packet without any validation. This could lead to remotely triggerable
stack corruption.

Validate the IHL against expected and recieved data sizes when reading
from the received packet and when reading any quoted packets from within
the ICMP response.

Approved by: so
Reviewed by: markj, asomers
Security: FreeBSD-SA-22:15.ping
Security: CVE-2022-23093
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #77
Differential Revision: https://reviews.freebsd.org/D37195

ping: Remove a vestigial notdef

It was once a function on 4.3BSD, pr_type() [1], used to convert an ICMP
"type" field to a printable string. In 4.4BSD it was superseded by
pr_icmph() [2].

NetBSD [3] and OpenBSD [4] have already removed it.

[1]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/ping.c
[2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.4BSD/usr/src/sbin/ping/ping.c
[3]: https://github.com/NetBSD/src/commit/203dfd34867991fd002f747d74a96f26ae80d41c
[4]: https://github.com/openbsd/src/commit/9bbbbbb75d24e3d166ddd0cb6cb4417b78561309

Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D37247

ping: split the visual part of -f into a new option -.

After this, we'll be able to ping a host and not spam the terminal, and
no flooding will have to be involved. I've been doing this under Linux
as ping -fi1 host.

Reviewed by: rpokala, Pau Amma
Differential Revision: https://reviews.freebsd.org/D34882

ping: fix parsing of options including '4' and '6'

ping uses a two-pass option parser. The first pass determines whether
ipv4 or ipv6 is desired, and the second parses the rest of the options.
But the first pass wrongly detects a '4' or '6' in an option's value as
a request to use ipv6 or ipv6 respectively, for example in an invocation
like "ping -c6 1.2.3.4".

Fix this confusion by including all options in the first round of
parsing, but ignoring those unrelated to ipv4/ipv6 selection.

PR: 258048
Reported by: ghuckriede@blackberry.com
Submitted by: ghuckriede@blackberry.com
MFC after: 2 weeks
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D32344

Merge ping6 to ping

There is now a single ping binary, which chooses to use ICMP or ICMPv4
based on the -4 and -6 options, and the format of the address.

Submitted by: Ján Sučan <sucanjan@gmail.com>
Sponsored by: Google LLC (Google Summer of Code 2019)
MFC after: Never
Differential Revision: https://reviews.freebsd.org/D21377

ping(8): Improve parameter validation

- Use strtonum(3) to simplify bounds checking of numeric parameters.
- Fix bounds checking when filling out packet data in "sweep" mode.

PR: 239974, 239977, 239978
Reported by: Neeraj <neerajpal09@gmail.com>
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D25622

Make use of IP_VLAN_PCP setsockopt in ping and ping6.

In order to validate the proper marking and use of a different
ethernet priority class, add the new session-specific PCP
feature to the ping/ping6 utilities.

Reviewed by: mav, bcr
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D26627

ping(8): Check for integer truncation when handling the value for -s.

PR: 239976
Submitted by: Neeraj <neerajpal09@gmail.com>
MFC after: 1 week
Event: July 2020 Bugathon

ping, ping6: Use setitimer(2) instead of obsolete alarm(3)

Submitted by: Ján Sučan <sucanjan@gmail.com>
Differential Revision: https://reviews.freebsd.org/D22103

ping: Verify whether a datagram timestamp was actually received.

ping(8) uses SO_TIMESTAMP, which attaches a timestamp to each IP datagram at
the time it's received by the kernel. Except that occasionally it doesn't.
Add a check to see whether such a timestamp was actually set before trying
to read it. This fixes segfaults that can happen when the kernel doesn't
attach a timestamp.

The bug has always existed, but prior to r351461 it manifested as an
implausible round-trip-time, not a segfault.

Reported by: pho
MFC after: 3 days
MFC-With: 351461

ping: fix a string in an error message

MFC after: 3 days

ping: fix unaligned access to ancillary data

Use CMSG_FIRSTHDR rather than assume that an array is correctly aligned.
Fixes warnings on sparc64 and powerpcspe.

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFH: 2 weeks
Sponsored by: Google LLC (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21406

ping: Fix alignment errors

This fixes -Wcast-align errors when compiled with WARNS=6.

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google LLC (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21327

ping: By default, don't reverse lookup IP addresses

ping's default is now not to attempt reverse DNS lookups. The -H flag will
enable them. This change is not quite a reversion of r351330. That change
made the happy path and error path do reverse lookups consistently; this
change changes the default for both paths.

Submitted by: Ján Sučan <sucanjan@gmail.com>
Discussed with: cem
MFC after: 2 weeks
MFC-With: 351330
Sponsored by: Google LLC (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21364

ping: add -H option for enabling reverse DNS lookup

This is the reverse of the -n flag.

Submitted by: Ján Sučan <sucanjan@gmail.com>
Sponsored by: Google LLC (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21356

ping: do reverse DNS lookup of the target address

When printing replies, ping will now attempt a reverse DNS lookup of the
target. That can be suppressed by using the "-n" option. Curiously, ping
has always done reverse lookups in certain error paths, but never in the
success path.

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google LLC (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21351

Fix uninitialized variable warnings when MK_CASPER=no

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21322

ping: fix -Wformat-truncating warning with GCC

Increase buffer size for the string representation of n_time

ICMP timestamp is a 32-bit number. In pr_ntime(), number of minutes
and seconds is always 2 characters wide. Max. number of hours is 4
characters wide. The buffer size should be at least:

4 + 2 + 2 + 1 (':') + 1 (':') + 1 ('\0') = 11

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21325

ping: Move in_cksum() to a separate source file

This is a preparation step for adding ATF tests of in_cksum(), which has been
modified to operate on unaligned data. ping.o cannot be linked to the test
executable because both of them contain 'main' symbol.

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21288

ping: Make in_cksum() operate on u_char buffer

This fixes -Wcast-align errors for in_cksum() calls when compiled with
WARNS=6.

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21261

ping: fix triptime calculation after r350998

That revision changed the internal clock to the monotonic, but neglected to
change the datagram's timestamp source.

Reported by: Oliver Hartmann, Michael Butler
Reviewed by: Ján Sučan <sucanjan@gmail.com>, allanjude
MFC after: 2 weeks
MFC-With: r350998
Differential Revision: https://reviews.freebsd.org/D21258

ping: use the monotonic clock to measure durations

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21245

ping: fix data type of a variable for a packet sequence number

Submitted by: Ján Sučan <sucanjan@gmail.com>
MFC after: 2 weeks
Sponsored by: Google, inc. (Google Summer of Code 2019)
Differential Revision: https://reviews.freebsd.org/D21244

Use caph_enter_casper() in ping(8).

Reported by: oshogbo
MFC with: r341837
Sponsored by: The FreeBSD Foundation

Use Capsicum helpers in ping(8).

Also use caph_cache_catpages() to ensure that strerror() works when
run with kern.trap_enotcap=1.

Reviewed by: oshogbo
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18514

ping(8): add space after "<=" as per style(9).

MFC after: 1 week
X-MFC-with: r341768

ping(8): remove needless comparision with LONG_MAX
after unsigned long ultmp changed to long ltmp in r340245.

MFC after: 1 week

libcasper: ange the name of limits in cap_dns so the intentions are obvious.

Reported by: pjd
MFC after: 3 weeks

ping(8): improve diagnostics in case of wrong arguments.

For example, in case of super-user:
$ sudo ping -s -64 127.0.0.1
PING 127.0.0.1 (127.0.0.1): -64 data bytes
ping: sendto: Invalid argument

For unprivileged user:
$ ping -s -64 127.0.0.1
ping: packet size too large: 18446744073709551552 > 56: Operation not permitted

Fix this by switching from strtoul() to strtol() for integer arguments
and adding explicit checks for negative values.

MFC after: 1 month

ping: simplify use of Casper

There is no need to check if capdns is NULL.
If we will build the system without casper all cap_gethostaddr will be
replaced by the standard functions.

General further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.

We return a pointer when we are using cap_init() or cap_service_open()
function, so check if cap_chanel_t is NULL is not enough.
Casper with a normal libc will still fail in capability mote so let's not
enter capability mode without casper support when we need to resolve DNS.

Reviewed by: cem
Differential Revision: https://reviews.freebsd.org/D12823

Simplify ping sandbox.

We don't need to check if casper is present, this is done in the library itself.

Reviewed by: emaste, cem, ed
Differential Revision: https://reviews.freebsd.org/D8754

We use a few different ifdef's names to check if we are using Casper or not,
let's standardize this. Now we are always use WITH_CASPER name.

Discussed with: emaste@
MFC after: 1 month

Renumber copyright clause 4

Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96

Fix clang 4.0.0 warnings about taking the address of a packed member of
struct ip in ping(8):

sbin/ping/ping.c:1684:53: error: taking address of packed member
'ip_src' of class or structure 'ip' may result in an unaligned pointer
value [-Werror,-Waddress-of-packed-member]
(void)printf(" %s ", inet_ntoa(*(struct in_addr *)&ip->ip_src.s_addr));
^~~~~~~~~~~~~~~~~
sbin/ping/ping.c:1685:53: error: taking address of packed member
'ip_dst' of class or structure 'ip' may result in an unaligned pointer
value [-Werror,-Waddress-of-packed-member]
(void)printf(" %s ", inet_ntoa(*(struct in_addr *)&ip->ip_dst.s_addr));
^~~~~~~~~~~~~~~~~

MFC after: 3 days

Check for socket creation success before calling bind().

Reported by: Coverity
CID: 1194209

o Restore some good whitespace killed in the previous commit.

Spotted by: bjk

o Kill EoL whitespaces.

o No need to resolve a mask that we get with ICMP_MASKREPLY,
pass it directly to inet_ntoa(3).

Allow minimum and maximum sweep size be the same.

Submitted by: maxim

o Kill EoL whitespaces. No functional changes.

Convert casperd(8) daemon to the libcasper.
After calling the cap_init(3) function Casper will fork from it's original
process, using pdfork(2). Forking from a process has a lot of advantages:
1. We have the same cwd as the original process.
2. The same uid, gid and groups.
3. The same MAC labels.
4. The same descriptor table.
5. The same routing table.
6. The same umask.
7. The same cpuset(1).
From now services are also in form of libraries.
We also removed libcapsicum at all and converts existing program using Casper
to new architecture.

Discussed with: pjd, jonathan, ed, drysdale@google.com, emaste
Partially reviewed by: drysdale@google.com, bdrewery
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4277

Remove "capability mode sandbox enabled" messages.

These messages serve little purpose and break some consumers.

PR: 199855
Differential Revision: https://reviews.freebsd.org/D2440
Reviewed by: rwatson
Approved by: pjd
MFC after: 1 week
Sponsored by: DARPA, AFRL

After r270929 RAW IP code assumes that all IP fields are in network
byte order. Fix ping(8) to pass an IP header with converted ip_off
and ip_len fields, when IP_HDRINCL socket option used.

WARNS=3 and style fixes. No functionality change.

Update most userspace consumers of capability.h to use capsicum.h instead.

auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.

MFC after: 3 weeks

Protect ping(8) using Capsicum and Casper. This is protection against malicious
network packets that we parse and not against local users trying to gain root
access through ping's set-uid bit - this is handled by dropping privileges very
early in ping.

Submitted by: Mikhail <mp@lenta.ru>

Check the return error of set[ug]id. While this can never fail in the
current version of FreeBSD, this isn't guarenteed by the API. Custom
security modules, or future implementations of the setuid and setgid
may fail.

PR: bin/172289
PR: bin/172290
PR: bin/172291
Submittud by: Erik Cederstrand <erik@cederstrand.dk>
Discussed by: freebsd-security
Approved by: cperciva
MFC after: 1 week

Use timeclear() instead of home grown version.

MFC after: 2 weeks

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Small style fixes:

- ANSIfy prototypes.
- Remove unneeded whitespace.
- Add const keyword to function where it can be used.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by: bz
Approved by: re

Force the alignment of the chars arrays, as they are casted later to
structs.
gcc 4.2 doesn't do it by default, and that results in unaligned access on
arm.

Print packet loss figures with one decimal place. ping6 already does
this, and OpenBSD and NetBSD pings do it too. This is primarily useful
for comparing low levels of packet loss.

Add a new feature to ping(8) - possibility to specify maximum
wait time for a packet. This allows to:

- Count number of packets received before and after specified
time.
- Shorten time of execution of 'ping -c 1' scripts.

Submitted by: Lytochkin Boris <lytboris gmail.com>

Sync usage() with SYNOPSIS.

Implement a new feature for ping(8) - sweeping pings. In a sweeping
ping ICMP payload of packets being sent is increased with given step.
Sweeping pings are useful for testing problematic channels, MTU
issues or traffic policing functions in networks.

PR: bin/82625
Submitted by: Chris Hellberg <chellberg juniper.net> (with some cleanups)

o Store timestamp in network byte order.
o Remove an assumption sizeof(struct timeval) == 8 (this is not
true on sparc64).

Reviewed by: imp, -hackers
Obtained from: NetBSD (rev. 1.75)
MT5 after: 1 month

Avoid using void pointers in additive expressions.

PR: 56653

Remove advertising clause from University of California Regent's license,
per letter dated July 22, 1999.

Approved by: core, imp

Don't turn off the regular SIGINFO status information. The use of
the NOKERNINFO flag only marginally de-clutters the output and
has a number of unwanted side effects:
o The kernel info might be what you want to see
o ^T is left non-functional if ping is killed non-cleanly
o "ping -q foo &" gets suspended on tty output

Encouraged by: bde

Certain ICMP error replies cause ping to perform a reverse DNS
lookup on an IP address from the packet (such as the IP that sent
a TTL exceeded error). If the DNS lookup takes a long time, ^C will
appear to be ineffective since the SIGINT handler just sets a flag
and returns. Work around this by exiting immediately on receipt of
a second SIGINT when DNS lookups are enabled.

PR: bin/4696
MFC after: 1 week

o Rename local variables, do not shadow global declarations.

o Kill MINICMPLEN, there is ICMP_MINLEN already.

o Be ready to get a reply with length up to IP_MAXPACKET.
o Warn when recieved packet length is not equal to length of the
packet we sent out. Idea from NetBSD.
o Fit the dump of packet with wrong data to 80 columns (from NetBSD).

Comments from: bde

Fix SIGINFO handling: do not print incorrect timing statistics
when the data for it is not available.

Founded by: ping -s0 localhost; press ^T

Use __FBSDID() to quiet GCC 3.3 warnings.

o Skip timestamp part when checking payload.

PR: bin/50909
Submitted by: Barney Wolff <barney@lab.databus.com>

Deal with a case where the returned packed was smaller than the
transmitted packet (because the remote host stripped off our icmp_data).

Submitted by: Maxim Konovalov <maxim@macomnet.ru>

Back out support for RFC3514.

RFC3514 poses an unacceptale risk to compliant systems.

IP_EVIL -> IP_EF

Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.

There are three sysctl tunables provided to govern system behavior.

net.inet.ip.rfc3514:

Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.

net.inet.ip.hear_no_evil

If set the host will discard all received evil packets.

net.inet.ip.speak_no_evil

If set the host will discard all transmitted evil packets.

The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.

For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.

Default data length should be 56, not 64.

- Make -M mask and -M time exclusive.
- Correct some problems with packet construction.

+--------+------------+----------+-------------+---------+
| | | | | |
| IP Hdr | MINICMPLEN | phdr_len | TIMEVAL_LEN | payload |
| | | | | |
+--------+------------+----------+-------------+---------+
| | | |
|<- IP ->|<------- ICMP -------->|<------ datalen ------>|

My previous changes tried to mess around with 'datalen' instead of
modifying 'phdr_len'.

I'm including this nice ASCII diagram (from Maxim) to further clarify things
in CVS history.

Submitted by: Maxim Konovalov <maxim@macomnet.ru>

Fixed an errx format error in rev.1.81. This should have been fatal
when WARNS was increased recently, but __printf0like() has been
temporarily disabled for 8 months.

Fixed related style bugs (disordered declaraction and silly type for
maxpayload -- assume 16-bit ints like the rest of ping.c).

Demangle the usage message at the source level.

Submitted by: bde

Fix and sync SYNOPSIS and usage().

Prodded by: bde

Update ping to be WARNS=2 compliant.

Reviewed by: -audit (no objections ~1mo)
Approved by: nectar

Support ICMP_TSTAMP/ICMP_TSTAMPREPLY.

This alters the meaning of the '-M' flag.

Sort options.

Call fill() after maxpayload has been initialized.

Reviewed by: maxim

Send ICMP_MASKREQ packets when the '-M' option is specified.

Better error handling for -s.

Submitted by: bde

Do not constantify maximum payload size. It is 65467 with -R
(record route), and 65507 without it.

Reviewed by: silence on -net
Proposed by: bde

I am going to MFC rev.1.77 - 1.81 ping.c and rev.1.39 and 1.40 ping.8:

MFC after: 6 months

style(9) sweep.

Submitted by: bde

Anti-magic: s/255/MAXTTL/

Implement -D (do not fragment) and -z (TOS) options.

PR: bin/29164
Reviewed by: silence of -net
Obtained from: OpenBSD

Print strict source routing option.

Reviewed by: silence on -net
Proposed by: David Wang <dsw@juniper.net>

Fix LSRR option length check: it has to be less or equal remained header's
length minus sizeof(struct ip).

MFC after: 1 week

Add an -o option to exit after receiving one reply. This can be used
to test whether a link is live.

PR: 38573
Submitted by: David Taylor <davidt@yadt.co.uk>
Obtained from: NetBSD

Commit "unrelated style fixes" part of Bruce's patch (regarding
bcopy/memcpy) seperately.

Submitted by: bde

Modify previous commit to solve the real problem that made gcc think
the timestamp was aligned. ie: Use a void * instead of struct timeval *
which gcc assumes will be aligned. Go back to memcpy().

Submitted by: bde

In reference to previous commit: use err(3).

Noticed by: bde

Check for FD_SET overrun.

Add the -A flag to the usage line.

Submitted by: Yutaka KAWASE <yutaka@mailhost.net>
MFC after: 3 days

Fix the broken "avoid unaligned data" fix. The problem is that the builtin
gcc memcpy "knows" about types that are supposed to be actually already
aligned and triggers alignment errors doing the memcpy itself.
"Fix" this by changing it to a bcopy(). In this case, we had:
struct timeval *tp;
struct timeval tv1;
memcpy(&tv1,tp,sizeof(tv1));
.. and since gcc *knows* that a pointer to a timeval is longword aligned
and that tv1 is longword aligned, then it can use an inline that assumes
alignment. The following works too:
cp = (char *)tp;
memcpy(&tv1,cp,sizeof(tv1));
Simply casting (char *)tp for the memcpy doesn't work. :-(
This affected different 64 bit platforms in different ways and depends
a lot on gcc as well. I've seen this on alpha and ia64 at least, although
alpha isn't doing it right now.

o Change almost all magic numbers to the appropriate constants.
o Fix zero payloading, unbreak ping -s 0.
o Increase socket recieve buffer, ping -s 65467 is working now.

Submitted by: anti-magic sweep based on kris's patch
Reviewed by: bde, silence on -audit
MFC after: 2 months

More strict ip options parsing.

Reviewed by: bde (style), silence on -audit
MFC after: 2 months

WARNS fixes.

Submitted by: kris
Reviewed by: bde
Approved by: ru
MFC after: 2 weeks

style(9) cleanup.

Submitted by: kris (an early version of this patch)
Reviewed by: bde
Approved by: ru
MFC after: 2 weeks

Style(9) local vars after 'register' removal.

Requested by: bde

Remove 'register' keyword.
It does not help modern compilers, and some may take some hit from it.
(I also found several functions that listed *every* of its 10 local vars with
"register" -- just how many free registers do people think machines have?)

Use network byte order for the ICMP sequence number. This is only
significant when monitoring packets on another system, since
otherwise the ICMP sequence number is only used by the ping client.

Fixed two bugs with the "-l preload" option:

- first ping after a preload was sent undelayed
- we could send more than -c packets in preload

PR: bin/32354

The -A option (beep when packets are dropped) didn't work quite
right; after a single packet was dropped it beeped after every
transmission.

Change its implementation to only output a bell when there is an
increase in the maximum value of the number of packets that were
sent but not yet received. This has the benefit that even for very
long round-trip times, ping -A will do roughly the right thing
after a few inital false-positives.

Reviewed by: ru

Ian Dowse writes:

The original code was certainly broken; it knows that whereto is
to be used for a sockaddr_in, so it should be declared as such.
To support multiple protocols, there is also a sockaddr_storage
struct that can be used; I don't think struct sockaddr is supposed
to be used anywhere other than for casts and pointers.

Submitted by: Ian Dowse <iedowse@maths.tcd.ie>
MFC after: 3 weeks

Fix unaligned access faults on alpha.

This one is strange and goes against my rusty compiler knowledge.

The global declaration

struct sockaddr whereto;

produces for both i386 && alpha:

.comm whereto,16,1

which means common storage, byte aligned. Ahem. I though structs
were supposed to be ALDOUBLE always? I mean, w/o pragma packed?

Later on, this address is coerced to:

to = (struct sockaddr_in *)&whereto;

Up until now, we've been fine on alpha because the address
just ended up aligned to a 4 byte boundary. Lately, though,
it end up as:

0000000120027b0f B whereto

And, tra la, you get unaligned access faults. The solution I picked, in
lieu of understanding what the compiler was doing, is to put whereto
as a union of a sockaddr and sockaddr_in. That's more formally correct
if somewhat awkward looking.

Modify ping so that it increases the send socket buffer size if the
user runs with privilege, allowing the sending of icmp packets with
larger size (up to 48k, the default receive buffer size in ping),
which is useful for network driver development testing, as well
as experimentation with fragmentation.

Reviewed by: wpaul

Add a -A option to ping which beeps when packets are lost.

PR: 11818
Submitted by: Marc Evans marc@destek.net

Add new option -m which allows the user to set IP TTL.

Format string paranoia

Use CMSG_LEN() to compute ping SCM_TIMESTAMP cmsg_len.
Without this, cmsg_len size should be smaller than necessary on alpha.
(Though, no obvious error was seen on ping time value on beast.)

CMSG_XXX macros alignment fixes to follow RFC2292.

Approved by: jkh

Submitted by: Partly from tech@openbsd
Reviewed by: itojun

ping -S option was missing from IPsec merge, so enable it again.

Approved by: jkh

Submitted by: Matthew Reimer <mreimer@vpop.net>

Brucify:
add an upper limit to -t
match the types of return values and the variables they are stuffed in
make the man page and usage() a little more consistantly ugly
less obfuscation.

Submitted by: adrian, billf

Add '-t X' which times out after pinging for X seconds.

Submitted by: adrian

libipsec and IPsec related apps. (and some KAME related man pages)

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Make last commit bde-compliant:
- correct indentation
- change data types for consistency with the rest of ping.c
- create new variable separate from "answer" for clarity

Fix aliasing bug causing in_cksum() to fail on odd packet sizes
due to compiler optimization.

PR: bin/13292
Suggested by: wollman

$Id$ -> $FreeBSD$

Make flood ping flood again. It hasn't worked since 2.2.6. Make the "-l"
option work as described in the manual, not as another flood ping variant.

Once discussed to death with: bde

More egcs warning fixes:
o main returns int not void
o use braces to avoid potentially ambiguous else

Note: The fix to natd is potentially functional in nature since I used
the indentation as the right thing rather than the struct semantics.
Someone more familiar with the code should double check me on this one.

Reviewed by: obrien and chuckr

Allow PINGing from any address on multihomed hosts

In the words of the submitter:
"The patch below allows to ping from any address on the multihomed host.
The man page is also updated, the text was cutted from traceroute(8)."

Submitted by: Ruslan Ermilov
PR: 6832

Remove -c restrictions from previous commit.

(well tested at BEST): -i option can now take FP values (e.g. -i 0.1),
extremely useful for networking testing. Other options secured from
user-level D.O.S. attacks. -f, -s now root-only. -i wait times < 1.0
root-only. -c count limited to 100 and defaults to 16 when ping run
by non-root user.

Correct use of .Nm. Remove unused #includes. Use warn(). cosmetic in usage()
string.
Translate 0 sec 1000000 usec to 1 sec 0 usec.

Fix an alignment problem on alpha by doing a bytewise copy.

Use select() timeouts instead of SIGALRM to schedule packet transmission.
Fixes bin/6649 and removes the last abusive signal handler.
Use SO_TIMESTAMP to get the kernel to timestamp packets on reception.
Fixes bin/5658 and provides slightly better accuracy.
Explicitly zero and terminate the IP options when using -R.

PR: bin/5658
PR: bin/6649

Revert the previous fix. As it turns out Warner Losh is
working a better fix.

Attempt to stop another DoS attack related to ping flooding.

PR: 6649
Submitted by: Jason Young <doogie@forbidden-donut.anet-stl.com>

When a timeval is stored at the beginning of icmp_data, the fields
are unaligned for access by the alpha, so copy the value to a variable
that is aligned.

When checking the returned data, be careful to avoid confusing the
size of the icmp header with the size of a timeval. On i386 these
are both 8, but on alpha, a timeval is 16 bytes. This means that
a packet sent from an alpha contains 48 bytes of data, not 56 like
on i386.

If ping write fails with short packet count, the
error message prints the two numbers backwards.
PR: 6313
Reviewed by: phk
Submitted by: Archie Cobbs

Add aback in a line a accidentally killed in my last commit.
Submitted by: Bill Fenner

Make this compile (and seemingly work).

A fairly rare possible buffer overflow:
Theo fixed this and tqbf reported it
Obtained from: OpenBSD

Minor style nit noticed by bde.

Add an ntohs() and format an IP address with inet_ntoa() when
printing the details of a received ICMP packet.

PR: bin/3766
Submitted by: denny1@home.com (Denton Gentry)

don't lose track of how many packets we've sent
if we get 'host unreachable'. (or any other errors than ENOBUFS)
makes -c work again even if you can't get there..
This really needs a rework..

Cleaned up revisions 1.22 and 1.23.
Fixed minor bugs in revisions 1.12 and 1.23 (variables assigned to in signal
handlers weren't declared as volatile).

Calculate and print out the standard deviation of the round trip times.
This isn't necessarily the best statistic, but it is by far the easiest to
calculate. Update the man page to be more explicit about precisely which
statistics are printed out. Revert some of jmg's bogus man page changes from
rev 1.11.

Fix a problem introduced with a recent change that caused a hang with
unreachable hosts. Note that most of this consists of telling SIGINT
and SIGALRM to interrupt the system call, instead of restarting them.
Also try to get rid of some potential races Bruce didn't like; hopefully
they aren't a problem (potential or otherwise) now.

Reviewed by: julian

don't count packets as being transmitted when we know that the sendto()
failed (e.g. ENOBUFS)

ping called printf() from a signal handler..
this is a NO-NO

re-arange to just set a "please die immediatly" flag in the signal handler
and handle this in the normal thread.

also handle ping -f better on slow links by backing off a bit when
we get a ENOBUFFS from the sendto().

Import Lite2's src/sbin, except for XNSrouted and routed. All relevant
files in src/sbin are off the vendor branch, so this doesn't change the
active versions.

Fix typo introduced in 1.17.

Submitted by: "Philippe Charnier" <charnier@xp11.frmug.org>

Check the size of the IP address reutrned from gethostbyname2, per PR
2578 from Julian A. Likely not strictly needed, but it doesn't hurt
and protects ping against possible buffer overflows if the resolver
were to return large IP addresses.

1) Minor nits in the usage message from bde. I took out the hard tabs and
used spaces to align the second line under the program name.
2) Cache uid after call to setuid(getuid()) so we don't waste a system call
for each packet with a call to getuid for the -v case.
3) Update manual to reflect new restriction on -l from last delta.

Suggested by: bde, Bill Fenner

1) Fix usage to match convention and manual. Fix manual to match usage.
2) Must be root to run preload (OpenBSD ping.c 1.8)
3) Don't print all replies unless verbose and root (from idea in
OpenBSD ping.c 1.10 and 1.11) to avoid leaking information available
only to root.
4) Remove unused h: from option string to getopt.
5) Make the compiler happy with exit(0) (Lite-2?)

Reviewed by: Dan Cross <tenser@spitfire.ecsel.psu.edu>

Good candidate for 2.2 and 2.1 (as are many of the 1.17 changes).

Make ping -Wall clean (except for one warning).
Do a better job of argument parsing.
Don't permit ping -f to a multicast address (very antisocial).
Don't permit -L, -I, -T options with unicast addresses.
Ensure that we ask for only AF_INET addresses (should close PR#2584).
Return <sysexits.h> error codes for failures. Document this.
Fix man page to identify the author and put sections in correct order.

Reviewed by: Gary Jennejohn <gj@freebsd.org>
Submitted by: Bruce Murphy <packrat@iinet.net.au>

Add '-a' audible flag, so terminal will beep upon receipt of a reply
packet. Useful for debugging ethernet runs, among other things.

Add multicast options -I (source interface), -T (set ttl), -L (no loopback).
They were all lowercase in the original, but our ping already uses -i and
-l so I made them all uppercase.

Obtained from: Multicast release 3.5

Cleaned up recent SIGINFO changes.

Simplified average calculations. This also fixes potential overflow errors
and minor rounding inconsistencies (always round to nearest now).

Don't lose more SIGINFOs than necessary.

Print \r at the start of the status message. This clears the dots that
are sometimes left by ping -f.

Reviewed by: sef

Fix typo in last patch. empty!=emtpy

Change how SIGINFO is handled -- set a flag (of sig_atomic_t), and check
that flag on every iteration of the loop. This avoids calling fprintf
inside a signal handler, which is always somewhat icky.

Reviewed by: bde

Fix math in SIGINFO printer.

Move the terminal handling code to a later location; this allows
the signal handlers to be set up; it also means that a failed name lookup
won't mess up the nokerninfo setting of the tty.

Reviewed by: pst, nate

Fixed backgrounding of ping, which was broken by the ^T changes in rev.1.3.

Print out ICMP errors that are responses to our own packets by default.
Turn this behavior off using '-Q'. This makes '-v' useless other than as
an ICMP-sniffer, which tcpdump is better at anyway.

Print out another couple of ICMP messages, and fix the printing of the
original packet (mostly byte order problems).

Drop setuid ASAP, to minimize code executed as root.

Reviewed by: pst

Limit the risk of `buf' overrun in ping.c when printing hostnames.

Note, this is not really a security risk, because the buffer in question
is a static variable in the data segment and not on the stack, and hence
cannot subert the flow of execution in any way. About the worst case was
that if you pinged a long hostname, ping could coredump.

Pointed out on: bugtraq (listserv@netspace.org)

Remove trailing whitespace.

In past releases of FreeBSD, I have used the exit status of "ping" to
determine whether a connection to a given machine is up or not.

In FreeBSD 2.0 (and therefore, I assume, BSD 4.4) the exit code of ping
is always zero, even if no packets were received.

I would like to propose the following change to /usr/src/sbin/ping/ping.c
to restore this useful behaviour:

Submitted by: Denis Fortin

Reviewed by: jkh

Print out summary information on receipt of SIGINFO; also, stop the
kernel printing of information and restore it on exit. Now, it needs
an option to be quiet. ;)

Changed output formatting to accurately represent the precision.

BSD 4.4 Lite sbin Sources

Note: XNSrouted and routed NOT imported here, they shall be imported with
usr.sbin.