From owner-freebsd-bugs Sun May 24 07:05:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA21011 for freebsd-bugs-outgoing; Sun, 24 May 1998 07:05:13 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA21003 for ; Sun, 24 May 1998 07:05:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id HAA24706; Sun, 24 May 1998 07:00:02 -0700 (PDT) Received: from freebsd.geek-girl.com (freebsd.geek-girl.com [207.229.137.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20447 for ; Sun, 24 May 1998 06:59:28 -0700 (PDT) (envelope-from root@freebsd.geek-girl.com) Received: (from root@localhost) by freebsd.geek-girl.com (8.8.8/8.8.8) id IAA07942; Sun, 24 May 1998 08:57:14 -0500 (CDT) (envelope-from root) Message-Id: <199805241357.IAA07942@freebsd.geek-girl.com> Date: Sun, 24 May 1998 08:57:14 -0500 (CDT) From: jdm@enteract.com Reply-To: jdm@enteract.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/6738: off-by-one error in timestamp option processing Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6738 >Category: kern >Synopsis: off-by-one error in timestamp option processing >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 24 07:00:01 PDT 1998 >Last-Modified: >Originator: Jennifer Dawn Myers >Organization: none >Release: FreeBSD 3.0-CURRENT i386 >Environment: FreeBSD 3.0-CURRENT (GEEK-GIRL) #2: Tue Apr 7 18:32:22 CDT 1998 /usr/src/sys/netinet: $Id: ip_input.c,v 1.82 1998/04/13 17:27:08 phk Exp $ >Description: In ip_input.c, an off-by-one error in the verification of the lengths of the TSANDADDR and PRESPEC timestamp options causes valid packets with these options set to be marked as "bad". Here's an example ICMP echo request with TSANDADDR set for the destination host: 08:16:10.087149 rock-lobster.geek-girl.com > freebsd.geek-girl.com: icmp: echo request 4800 005c 00ea 0000 ff01 63a5 cfe5 891a cfe5 891c 440c 0501 cfe5 891c 0000 0000 0800 f7ff 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 The reply: 08:16:10.087292 freebsd.geek-girl.com > rock-lobster.geek-girl.com: icmp: parameter problem - octet 20 4500 0044 ab13 0000 ff01 5ea3 cfe5 891c cfe5 891a 0c00 f6e8 1400 0000 4800 005c ea00 0000 ff01 63a5 cfe5 891a cfe5 891c 440c 0501 cfe5 891c 0000 0000 0800 f7ff 0000 0000 Apparently, this problem was noted and fixed in OpenBSD last year: revision 1.22 date: 1997/02/13 16:26:58; author: deraadt; state: Exp; lines: +4 -4 off-by-one-slot for IP timestamp option data inserts, PR#103, andreas.gunnarsson@emw.ericsson.se >How-To-Repeat: Send a packet to a FreeBSD machine with the TSANDADDR or PRESPEC timestamp option set. >Fix: *** ip_input.c Thu Apr 16 04:03:17 1998 --- ip_input.c-new Sun May 24 07:43:16 1998 *************** *** 1069,1071 **** case IPOPT_TS_TSANDADDR: ! if (ipt->ipt_ptr + sizeof(n_time) + sizeof(struct in_addr) > ipt->ipt_len) --- 1069,1071 ---- case IPOPT_TS_TSANDADDR: ! if (ipt->ipt_ptr - 1 + sizeof(n_time) + sizeof(struct in_addr) > ipt->ipt_len) *************** *** 1083,1085 **** case IPOPT_TS_PRESPEC: ! if (ipt->ipt_ptr + sizeof(n_time) + sizeof(struct in_addr) > ipt->ipt_len) --- 1083,1085 ---- case IPOPT_TS_PRESPEC: ! if (ipt->ipt_ptr - 1 + sizeof(n_time) + sizeof(struct in_addr) > ipt->ipt_len) >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message