From owner-freebsd-security  Tue May  4 17: 3:48 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id B52461554C
	for <freebsd-security@FreeBSD.ORG>; Tue,  4 May 1999 17:03:43 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06559;
	Tue, 4 May 1999 17:03:27 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id RAA18620;
	Tue, 4 May 1999 17:03:26 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA06539;
	Tue, 4 May 1999 17:03:25 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199905050003.RAA06539@salsa.gv.tsc.tdk.com>
Date: Tue, 4 May 1999 17:03:24 -0700
In-Reply-To: Warner Losh <imp@harmony.village.org>
       "Re: freebsd mbuf crash" (May  4,  3:03pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Warner Losh <imp@harmony.village.org>,
	Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: freebsd mbuf crash
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On May 4,  3:03pm, Warner Losh wrote:
} Subject: Re: freebsd mbuf crash
} In message <199905041526.BAA29421@cheops.anu.edu.au> Darren Reed writes:
} : is this one (below) taken care of ?  perhaps a derivitice of this ?
} 
} What's it supposed to do?  I can't get it to cause any grief on my
} -current system, nor on the 3.1-stable based systems we have here at
} work.

I believe this was fixed by version 1.103 of sys/netinet/ip_input.c.
This change was made shortly after 3.0-RELEASE.

The original exploit code only ran correctly on Linux (and nuked FreeBSD
machines).  It didn't do anything interesting when run under FreeBSD, because
the byte order of various IP headers sent on raw sockets differs between
Linux and FreeBSD.  This caused various sanity checks in the FreeBSD stack
to toss the packet instead of sending it.  If you tweak the byte order in
the exploit code, you can get it to run under FreeBSD and crash vulnerable
FreeBSD machines.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message