Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Nov 1997 23:23:37 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        questions@freebsd.org
Cc:        security@freebsd.org
Subject:   IPFW and ipfragment overlap attack...
Message-ID:  <3.0.2.32.19971114232337.02496330@sentex.net>

next in thread | raw e-mail | index | archive | help

Does anyone know of a way to prevent via ipfw the use of the ip fragment
attack that was posted on bugtraq the other day ?  Since this can take out
NT/95 machines at will, it would be nice if I could protect my dialup users
from outside attack.  Also, it seems that FreeBSD is safe against this
program is it not ?  I am not a network programmer, but looking through
/usr/src/sys/netinet/ip_input.c there are some safegaurds against this.
Are there any modifications to the program that could effect FreeBSD ?


	---Mike

>Approved-By: aleph1@UNDERGROUND.ORG
>X-Mailer: ELM [version 2.4 PL25]
>Date: 	Thu, 13 Nov 1997 22:06:15 -0800
>Reply-To: route@RESENTMENT.INFONEXUS.COM
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From: G P R <route@RESENTMENT.INFONEXUS.COM>
>Subject:      Linux IP fragment overlap bug
>To: BUGTRAQ@NETSPACE.ORG
>
>
>    As it happens, Linux has a serious bug in it's IP fragmentation module.
>More specifically, in the fragmentation reassembly code.  More specifically,
>the bug manifests itself in the `ip_glue()` function....
>
>    When Linux reassembles IP fragments to form the original IP datagram, it
>runs in a loop, copying the payload from all the queued fragments into a
newly
>allocated buffer (which would then normally be passed to the IP layer
proper).
>From ip_fragment.c@376:
>
>        fp = qp->fragments;
>        while(fp != NULL)
>        {
>                if(count+fp->len > skb->len)
>                {
>                    error_to_big;
>                }
>                memcpy((ptr + fp->offset), fp->ptr, fp->len);
>                count += fp->len;
>                fp = fp->next;
>        }
>
>    While it does check to see if the fragment length is too large, which
would
>have the kernel copy too much data, it doesn't check to see if the fragment
>length is too small, which would have the kernel copy WAY too data (such
is the
>case if fp->len is < 0).



**********************************************************************
Mike Tancsa  (mike@sentex.net)           * To do is to be  -- Nietzsche
Sentex Communications Corp,              * To be is to do  -- Sartre 
Cambridge, Ontario                       * Do be do be do  -- Sinatra
(http://www.sentex.net/~mdtancsa)        *



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.2.32.19971114232337.02496330>