From owner-freebsd-bugs  Fri Jun 26 08:28:42 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA24834
          for freebsd-bugs-outgoing; Fri, 26 Jun 1998 08:28:42 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from itesec.hsc.fr (root@itesec.hsc.fr [192.70.106.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA24764;
          Fri, 26 Jun 1998 08:28:09 -0700 (PDT)
          (envelope-from pb@hsc.fr)
Received: from mars.hsc.fr (mars.hsc.fr [192.70.106.44])
	by itesec.hsc.fr (8.8.8/8.8.5/itesec-1.12-nospam) with ESMTP id RAA13257;
	Fri, 26 Jun 1998 17:19:01 +0200 (MET DST)
Received: (from pb@localhost)
	by mars.hsc.fr (8.8.8/8.8.8/pb-19980526) id RAA18988;
	Fri, 26 Jun 1998 17:27:48 +0200 (CEST)
	(envelope-from pb)
Message-ID: <19980626172748.A18953@mars.hsc.fr>
Date: Fri, 26 Jun 1998 17:27:48 +0200
From: Pierre Beyssac <Pierre.Beyssac@hsc.fr>
To: andrewr <andrewr@slack.net>, Bill Fenner <fenner@parc.xerox.com>
Cc: Nate Lawson <nate@almond.elite.net>, nate@elite.net, julian@whistle.com,
        freebsd-bugs@FreeBSD.ORG, freebsd-net@FreeBSD.ORG,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: Apparent bug in sendto() with raw sockets
References: <98Jun25.155535pdt.177515@crevenia.parc.xerox.com> <Pine.NEB.3.96.980626092922.1974A-100000@brooklyn.slack.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.92.8i
In-Reply-To: <Pine.NEB.3.96.980626092922.1974A-100000@brooklyn.slack.net>; from andrewr on Fri, Jun 26, 1998 at 09:38:33AM -0400
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jun 26, 1998 at 09:38:33AM -0400, andrewr wrote:
> Speaking of IP_HDRINCL, after reading raw_ip.c and noticing the protection
> against spoofing (can't use IP_HDRINCL in certain situations), I started
> thinking about actually comparing the user dsupplied ip->ip_src with the

Are you sure you're talking about FreeBSD here ? SunOS 4 has such
a protection (it checks that the source address belongs to one of
the interfaces, or so it seems) but I've successfully spoofed
packets on FreeBSD without any problem using IP_HDRINCL.

Anyway, such a protection can easily bypassed by sending raw
link-level packets through bpf (or probably /dev/nit in the case
of SunOS, although I've never tried this).
-- 
Pierre.Beyssac@hsc.fr

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message