From owner-freebsd-current  Sun Oct 25 22:36:25 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA07448
          for freebsd-current-outgoing; Sun, 25 Oct 1998 22:36:25 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA07434
          for <current@FreeBSD.ORG>; Sun, 25 Oct 1998 22:36:23 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id WAA06254;
	Sun, 25 Oct 1998 22:35:30 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA21994;
	Sun, 25 Oct 1998 22:35:29 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA26219;
	Sun, 25 Oct 1998 22:35:26 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199810260635.WAA26219@salsa.gv.tsc.tdk.com>
Date: Sun, 25 Oct 1998 22:35:26 -0800
In-Reply-To: Brian Feldman <green@zone.syracuse.net>
       "Re: nestea v2 against freebsd 3.0-Release (fwd)" (Oct 25, 10:34am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Brian Feldman <green@zone.syracuse.net>, Doug Rabson <dfr@nlsystems.com>
Subject: Re: nestea v2 against freebsd 3.0-Release (fwd)
Cc: Don Lewis <Don.Lewis@tsc.tdk.com>,
        Kris Kennaway <kkennawa@physics.adelaide.edu.au>,
        wollman@khavrinen.lcs.mit.edu, current@FreeBSD.ORG
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Oct 25, 10:34am, Brian Feldman wrote:
} Subject: Re: nestea v2 against freebsd 3.0-Release (fwd)
} Here's _my_ patch:
} insert in sys/netinet/ip_input.c:796
}         if (fp->ipq_frags == NULL)              /* XXX */ 
}                 goto dropfrag;  
} (hint: goes after the "next = 0;")

This is just papering over the panic that this particular set of
packets is causing.  It is quite possible to trigger the bug
and *not* have fp->ipq_frags be NULL.  Now that I look at the
code some more, I think the consequences of that are more benign
that I first imagined, it should only cause an mbuf leak instead
of keeping a persistent pointer to an mbuf on the free list.  Of
course, this means that a persistent attacker can cause you to
throw away all your mbufs, even with your patch.

Doesn't it seem odd to you that after executing some code to
find the insertion point for a new fragment into a list of
fragments, and inserting the fragment into the list that the
list would be empty?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message