Date: Thu, 22 Jun 2000 17:01:06 -0700 (PDT) From: Todd Backman <todd@flyingcroc.net> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Message-ID: <Pine.BSF.4.10.10006221655240.81943-100000@security1.noc.flyingcroc.net> In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
So, upon following the instructions for patch on the SA (including DL'ing
the patch from the ftp site) I get the following:
**** START ****
stuff# patch -p < ip-options.diff
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: ip_icmp.c
|===================================================================
|RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
|retrieving revision 1.39
|diff -u -r1.39 ip_icmp.c
|--- ip_icmp.c 2000/01/28 06:13:09 1.39
|+++ ip_icmp.c 2000/06/08 15:26:39
--------------------------
Patching file ip_icmp.c using Plan A...
Hunk #1 failed at 662.
1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: ip_input.c
|===================================================================
|RCS file: /ncvs/src/sys/netinet/ip_input.c,v
|retrieving revision 1.130
|diff -u -r1.130 ip_input.c
|--- ip_input.c 2000/02/23 20:11:57 1.130
|+++ ip_input.c 2000/06/08 15:25:46
--------------------------
Patching file ip_input.c using Plan A...
Hunk #1 failed at 1067.
Hunk #2 failed at 1178.
2 out of 2 hunks failed--saving rejects to ip_input.c.rej
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: ip_output.c
|===================================================================
|RCS file: /ncvs/src/sys/netinet/ip_output.c,v
|retrieving revision 1.99
|diff -u -r1.99 ip_output.c
|--- ip_output.c 2000/03/09 14:57:15 1.99
|+++ ip_output.c 2000/06/08 15:27:08
--------------------------
Patching file ip_output.c using Plan A...
Hunk #1 failed at 1302.
1 out of 1 hunks failed--saving rejects to ip_output.c.rej
done
**** FINISH ****
Can anyone hit me with the cluestick?
Thanks.
- Todd
On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote:
> # cd /usr/src/sys/netinet
> # patch -p < /path/to/patch_or_advisory
>
> Index: ip_icmp.c
> ===================================================================
> RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
> retrieving revision 1.39
> diff -u -r1.39 ip_icmp.c
> --- ip_icmp.c 2000/01/28 06:13:09 1.39
> +++ ip_icmp.c 2000/06/08 15:26:39
> @@ -662,8 +662,11 @@
> if (opt == IPOPT_NOP)
> len = 1;
> else {
> + if (cnt < IPOPT_OLEN + sizeof(*cp))
> + break;
> len = cp[IPOPT_OLEN];
> - if (len <= 0 || len > cnt)
> + if (len < IPOPT_OLEN + sizeof(*cp) ||
> + len > cnt)
> break;
> }
> /*
> Index: ip_input.c
> ===================================================================
> RCS file: /ncvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.130
> diff -u -r1.130 ip_input.c
> --- ip_input.c 2000/02/23 20:11:57 1.130
> +++ ip_input.c 2000/06/08 15:25:46
> @@ -1067,8 +1067,12 @@
> if (opt == IPOPT_NOP)
> optlen = 1;
> else {
> + if (cnt < IPOPT_OLEN + sizeof(*cp)) {
> + code = &cp[IPOPT_OLEN] - (u_char *)ip;
> + goto bad;
> + }
> optlen = cp[IPOPT_OLEN];
> - if (optlen <= 0 || optlen > cnt) {
> + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
> code = &cp[IPOPT_OLEN] - (u_char *)ip;
> goto bad;
> }
> @@ -1174,6 +1178,10 @@
> break;
>
> case IPOPT_RR:
> + if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
> + code = &cp[IPOPT_OFFSET] - (u_char *)ip;
> + goto bad;
> + }
> if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
> code = &cp[IPOPT_OFFSET] - (u_char *)ip;
> goto bad;
> Index: ip_output.c
> ===================================================================
> RCS file: /ncvs/src/sys/netinet/ip_output.c,v
> retrieving revision 1.99
> diff -u -r1.99 ip_output.c
> --- ip_output.c 2000/03/09 14:57:15 1.99
> +++ ip_output.c 2000/06/08 15:27:08
> @@ -1302,8 +1302,10 @@
> if (opt == IPOPT_NOP)
> optlen = 1;
> else {
> + if (cnt < IPOPT_OLEN + sizeof(*cp))
> + goto bad;
> optlen = cp[IPOPT_OLEN];
> - if (optlen <= IPOPT_OLEN || optlen > cnt)
> + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
> goto bad;
> }
> switch (opt) {
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10006221655240.81943-100000>