Didn't know if all you "roll-your-own" types had seen this ...
I don't currently run Linux, so I have not taken time to verify (or even
look closely) - just passing it on.
-r.w.
<headers snipped>
----------------------------------------------------------------------------
From: Alan Cox <alan @
cymru .
net>
To: linux-announce @
stc06 .
ctd .
ornl .
gov
Cc: cert @
cert .
org, juphoff @
tarsier .
cv .
nrao .
edu
Subject: [linux-alert] URGENT: Bug in linux networking stack
Date: Mon, 21 Oct 1996 10:25:45 +0100
Sender: owner-linux-alert @
tarsier .
cv .
nrao .
edu
There is a nasty bug whereby AIX, Digital Unix, Linux and possibly some
other systems can be brought down remotely by a suitably constructed
oversize packet. Unfortunately a bug in another well known PC operating
system means its easy to generate such packets.
** This bug is being actively exploited on the internet against all the
** mentioned systems. This fix should be considered essential as should
** other equivalent vendor fixes
The bug can be exploited as simply as;
> 'ping -l 65510 host.running.linux'
The following Linux fix drops such faulty frames and will also be included
in 2.0.24
Alan Cox
[Patch also available from http://www.uk.linux.org/patches/]
- --- ip_fragment.c.old Mon Sep 16 22:14:52 1996
+++ ip_fragment.c Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment
over size.\n"));
ip_free(qp);
- - frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +466,18 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }
/*
* Determine the position of this fragment.
Follow-Ups:
|
|
