From owner-freebsd-hackers Mon Aug 19 01:22:57 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA26625 for hackers-outgoing; Mon, 19 Aug 1996 01:22:57 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA26619 for ; Mon, 19 Aug 1996 01:22:52 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.7.5/8.7.3) id SAA14444; Mon, 19 Aug 1996 18:22:34 +1000 (EST) Date: Mon, 19 Aug 1996 18:22:29 +1000 (EST) From: "Daniel O'Callaghan" To: Warner Losh cc: hackers@FreeBSD.ORG Subject: Re: ipfw vs ipfilter In-Reply-To: <199608181615.KAA00454@rover.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 18 Aug 1996, Warner Losh wrote: > One of our paranoid villagers recently did a code review on ipfw. He > said it was OK, but found a couple of problems. Specifically, the > code lacked comments, there was a bug in the IP header fragment > discarding code (if the offset was one, it would discard the fragment, > but not when it was 2, it should properly discard the fragment for all > offsets > 0 < the size of the headers), it assumed that the user It is not possible to overwrite the TCP flags area of a packet with a fragment with offset of anything but 1. Fragmentation is only allowed for the data payload of an IP packet, and fragment offset counting begins at the start of the data section of the packet, irrespective of the size of the IP headers. Since FO is counted in 8-byte counts, FO=1 means the data from byte 8 to byte 15 (covering ack number, flags and window) while FO=2 covers bytes 16 to 23 (checksum, urgent pointer, options). Perhaps it would be prudent to discard packets with FO=2, but I can't see how an attack on checksum or Max Segment Size would work. However, in normal Internet traffic, where the MTU is > 68 octets, the minimum permitted MTU, it is perfectly reasonable to discard all packets with 0 < FO < 7. Danny