From owner-freebsd-bugs  Tue Apr 14 07:40:04 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA23210
          for freebsd-bugs-outgoing; Tue, 14 Apr 1998 07:40:04 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA23170;
          Tue, 14 Apr 1998 07:40:02 -0700 (PDT)
          (envelope-from gnats)
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA22353;
          Tue, 14 Apr 1998 07:32:45 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199804141432.HAA22353@hub.freebsd.org>
Date: Tue, 14 Apr 1998 07:32:45 -0700 (PDT)
From: tqbf@secnet.com
To: freebsd-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: www-1.0
Subject: kern/6296: IP_HDRINCL sockets force header fields to be in host byte order
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6296
>Category:       kern
>Synopsis:       IP_HDRINCL sockets force header fields to be in host byte order
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 14 07:40:01 PDT 1998
>Last-Modified:
>Originator:     Thomas H. Ptacek
>Organization:
Secure Networks, Inc.
>Release:        3.0-980311-SNAP
>Environment:
FreeBSD foo.rdist.org 3.0-980311-SNAP FreeBSD 3.0-980311-SNAP #1: Sun Mar 29 02:08:26 CST 1998     root@foo.rdist.org:/usr/src/sys/compile/RFORK  i386
>Description:
When writing a complete IP packet to the network via a raw socket
with the IP_HDRINCL option set, the FreeBSD kernel incorrectly
examines IP header fields (forgetting to ntohs() them) and thus
forces those fields to be set in host byte order. This is
particularly obvious with ip_len, which must be set correctly for
the packet to be written to the network.
>How-To-Repeat:
Create a raw socket, set it HDRINCL, try to write out an ICMP
ECHO_REQUEST packet with the IP packet length set (correctly) in
network byte order, watch it fail. Set the packet length in host
byte order. Watch it succeed.
>Fix:
The problem (or at least part of it) is in line 203 of raw_ip.c in
netinet. The conditional checks the user-created IP header to ensure
that header fields are valid; when it checks to make sure length is
less than the buffer size and greater than the header length, it
examines ip_len directly without ntohs()'ing it.
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message