Date: Tue, 4 May 1999 17:03:24 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Warner Losh <imp@harmony.village.org>, Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash Message-ID: <199905050003.RAA06539@salsa.gv.tsc.tdk.com> In-Reply-To: Warner Losh <imp@harmony.village.org> "Re: freebsd mbuf crash" (May 4, 3:03pm)
index | next in thread | previous in thread | raw e-mail
On May 4, 3:03pm, Warner Losh wrote: } Subject: Re: freebsd mbuf crash } In message <199905041526.BAA29421@cheops.anu.edu.au> Darren Reed writes: } : is this one (below) taken care of ? perhaps a derivitice of this ? } } What's it supposed to do? I can't get it to cause any grief on my } -current system, nor on the 3.1-stable based systems we have here at } work. I believe this was fixed by version 1.103 of sys/netinet/ip_input.c. This change was made shortly after 3.0-RELEASE. The original exploit code only ran correctly on Linux (and nuked FreeBSD machines). It didn't do anything interesting when run under FreeBSD, because the byte order of various IP headers sent on raw sockets differs between Linux and FreeBSD. This caused various sanity checks in the FreeBSD stack to toss the packet instead of sending it. If you tweak the byte order in the exploit code, you can get it to run under FreeBSD and crash vulnerable FreeBSD machines. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905050003.RAA06539>