Date: Sun, 24 May 1998 08:57:14 -0500 (CDT) From: jdm@enteract.com To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/6738: off-by-one error in timestamp option processing Message-ID: <199805241357.IAA07942@freebsd.geek-girl.com>
next in thread | raw e-mail | index | archive | help
>Number: 6738
>Category: kern
>Synopsis: off-by-one error in timestamp option processing
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 24 07:00:01 PDT 1998
>Last-Modified:
>Originator: Jennifer Dawn Myers
>Organization:
none
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
FreeBSD 3.0-CURRENT (GEEK-GIRL) #2: Tue Apr 7 18:32:22 CDT 1998
/usr/src/sys/netinet:
$Id: ip_input.c,v 1.82 1998/04/13 17:27:08 phk Exp $
>Description:
In ip_input.c, an off-by-one error in the verification of the
lengths of the TSANDADDR and PRESPEC timestamp options causes
valid packets with these options set to be marked as "bad".
Here's an example ICMP echo request with TSANDADDR set for the
destination host:
08:16:10.087149 rock-lobster.geek-girl.com > freebsd.geek-girl.com: icmp: echo request
4800 005c 00ea 0000 ff01 63a5 cfe5 891a
cfe5 891c 440c 0501 cfe5 891c 0000 0000
0800 f7ff 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000
The reply:
08:16:10.087292 freebsd.geek-girl.com > rock-lobster.geek-girl.com: icmp: parameter problem - octet 20
4500 0044 ab13 0000 ff01 5ea3 cfe5 891c
cfe5 891a 0c00 f6e8 1400 0000 4800 005c
ea00 0000 ff01 63a5 cfe5 891a cfe5 891c
440c 0501 cfe5 891c 0000 0000 0800 f7ff
0000 0000
Apparently, this problem was noted and fixed in OpenBSD last year:
revision 1.22
date: 1997/02/13 16:26:58; author: deraadt; state: Exp; lines: +4 -4
off-by-one-slot for IP timestamp option data inserts, PR#103,
andreas.gunnarsson@emw.ericsson.se
>How-To-Repeat:
Send a packet to a FreeBSD machine with the TSANDADDR or PRESPEC
timestamp option set.
>Fix:
*** ip_input.c Thu Apr 16 04:03:17 1998
--- ip_input.c-new Sun May 24 07:43:16 1998
***************
*** 1069,1071 ****
case IPOPT_TS_TSANDADDR:
! if (ipt->ipt_ptr + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len)
--- 1069,1071 ----
case IPOPT_TS_TSANDADDR:
! if (ipt->ipt_ptr - 1 + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len)
***************
*** 1083,1085 ****
case IPOPT_TS_PRESPEC:
! if (ipt->ipt_ptr + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len)
--- 1083,1085 ----
case IPOPT_TS_PRESPEC:
! if (ipt->ipt_ptr - 1 + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len)
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805241357.IAA07942>