Date: Sun, 25 Oct 1998 22:35:26 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Brian Feldman <green@zone.syracuse.net>, Doug Rabson <dfr@nlsystems.com> Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, Kris Kennaway <kkennawa@physics.adelaide.edu.au>, wollman@khavrinen.lcs.mit.edu, current@FreeBSD.ORG Subject: Re: nestea v2 against freebsd 3.0-Release (fwd) Message-ID: <199810260635.WAA26219@salsa.gv.tsc.tdk.com> In-Reply-To: Brian Feldman <green@zone.syracuse.net> "Re: nestea v2 against freebsd 3.0-Release (fwd)" (Oct 25, 10:34am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 25, 10:34am, Brian Feldman wrote: } Subject: Re: nestea v2 against freebsd 3.0-Release (fwd) } Here's _my_ patch: } insert in sys/netinet/ip_input.c:796 } if (fp->ipq_frags == NULL) /* XXX */ } goto dropfrag; } (hint: goes after the "next = 0;") This is just papering over the panic that this particular set of packets is causing. It is quite possible to trigger the bug and *not* have fp->ipq_frags be NULL. Now that I look at the code some more, I think the consequences of that are more benign that I first imagined, it should only cause an mbuf leak instead of keeping a persistent pointer to an mbuf on the free list. Of course, this means that a persistent attacker can cause you to throw away all your mbufs, even with your patch. Doesn't it seem odd to you that after executing some code to find the insertion point for a new fragment into a list of fragments, and inserting the fragment into the list that the list would be empty? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810260635.WAA26219>