From owner-freebsd-security Thu Jun 22 17: 2:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id C91DC37BAC7 for ; Thu, 22 Jun 2000 17:01:59 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id RAA84851 for ; Thu, 22 Jun 2000 17:01:06 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Thu, 22 Jun 2000 17:01:06 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, upon following the instructions for patch on the SA (including DL'ing the patch from the ftp site) I get the following: **** START **** stuff# patch -p < ip-options.diff Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_icmp.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v |retrieving revision 1.39 |diff -u -r1.39 ip_icmp.c |--- ip_icmp.c 2000/01/28 06:13:09 1.39 |+++ ip_icmp.c 2000/06/08 15:26:39 -------------------------- Patching file ip_icmp.c using Plan A... Hunk #1 failed at 662. 1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_input.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_input.c,v |retrieving revision 1.130 |diff -u -r1.130 ip_input.c |--- ip_input.c 2000/02/23 20:11:57 1.130 |+++ ip_input.c 2000/06/08 15:25:46 -------------------------- Patching file ip_input.c using Plan A... Hunk #1 failed at 1067. Hunk #2 failed at 1178. 2 out of 2 hunks failed--saving rejects to ip_input.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_output.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_output.c,v |retrieving revision 1.99 |diff -u -r1.99 ip_output.c |--- ip_output.c 2000/03/09 14:57:15 1.99 |+++ ip_output.c 2000/06/08 15:27:08 -------------------------- Patching file ip_output.c using Plan A... Hunk #1 failed at 1302. 1 out of 1 hunks failed--saving rejects to ip_output.c.rej done **** FINISH **** Can anyone hit me with the cluestick? Thanks. - Todd On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote: > # cd /usr/src/sys/netinet > # patch -p < /path/to/patch_or_advisory > > Index: ip_icmp.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.39 > diff -u -r1.39 ip_icmp.c > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > +++ ip_icmp.c 2000/06/08 15:26:39 > @@ -662,8 +662,11 @@ > if (opt == IPOPT_NOP) > len = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + break; > len = cp[IPOPT_OLEN]; > - if (len <= 0 || len > cnt) > + if (len < IPOPT_OLEN + sizeof(*cp) || > + len > cnt) > break; > } > /* > Index: ip_input.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.130 > diff -u -r1.130 ip_input.c > --- ip_input.c 2000/02/23 20:11:57 1.130 > +++ ip_input.c 2000/06/08 15:25:46 > @@ -1067,8 +1067,12 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > + goto bad; > + } > optlen = cp[IPOPT_OLEN]; > - if (optlen <= 0 || optlen > cnt) { > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > code = &cp[IPOPT_OLEN] - (u_char *)ip; > goto bad; > } > @@ -1174,6 +1178,10 @@ > break; > > case IPOPT_RR: > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > + goto bad; > + } > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > goto bad; > Index: ip_output.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > retrieving revision 1.99 > diff -u -r1.99 ip_output.c > --- ip_output.c 2000/03/09 14:57:15 1.99 > +++ ip_output.c 2000/06/08 15:27:08 > @@ -1302,8 +1302,10 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + goto bad; > optlen = cp[IPOPT_OLEN]; > - if (optlen <= IPOPT_OLEN || optlen > cnt) > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > goto bad; > } > switch (opt) { > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message