From owner-freebsd-security Fri Nov 14 21:30:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id VAA01189 for security-outgoing; Fri, 14 Nov 1997 21:30:29 -0800 (PST) (envelope-from owner-freebsd-security) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA01183; Fri, 14 Nov 1997 21:30:25 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel (gravel-remote.sentex.ca [209.112.4.181]) by granite.sentex.net (8.8.6/8.6.9) with SMTP id AAA25898; Sat, 15 Nov 1997 00:31:51 -0500 (EST) Message-Id: <3.0.2.32.19971114232337.02496330@sentex.net> X-Sender: mdtancsa@sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 14 Nov 1997 23:23:37 -0500 To: questions@freebsd.org From: Mike Tancsa Subject: IPFW and ipfragment overlap attack... Cc: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does anyone know of a way to prevent via ipfw the use of the ip fragment attack that was posted on bugtraq the other day ? Since this can take out NT/95 machines at will, it would be nice if I could protect my dialup users from outside attack. Also, it seems that FreeBSD is safe against this program is it not ? I am not a network programmer, but looking through /usr/src/sys/netinet/ip_input.c there are some safegaurds against this. Are there any modifications to the program that could effect FreeBSD ? ---Mike >Approved-By: aleph1@UNDERGROUND.ORG >X-Mailer: ELM [version 2.4 PL25] >Date: Thu, 13 Nov 1997 22:06:15 -0800 >Reply-To: route@RESENTMENT.INFONEXUS.COM >Sender: Bugtraq List >From: G P R >Subject: Linux IP fragment overlap bug >To: BUGTRAQ@NETSPACE.ORG > > > As it happens, Linux has a serious bug in it's IP fragmentation module. >More specifically, in the fragmentation reassembly code. More specifically, >the bug manifests itself in the `ip_glue()` function.... > > When Linux reassembles IP fragments to form the original IP datagram, it >runs in a loop, copying the payload from all the queued fragments into a newly >allocated buffer (which would then normally be passed to the IP layer proper). >From ip_fragment.c@376: > > fp = qp->fragments; > while(fp != NULL) > { > if(count+fp->len > skb->len) > { > error_to_big; > } > memcpy((ptr + fp->offset), fp->ptr, fp->len); > count += fp->len; > fp = fp->next; > } > > While it does check to see if the fragment length is too large, which would >have the kernel copy too much data, it doesn't check to see if the fragment >length is too small, which would have the kernel copy WAY too data (such is the >case if fp->len is < 0). ********************************************************************** Mike Tancsa (mike@sentex.net) * To do is to be -- Nietzsche Sentex Communications Corp, * To be is to do -- Sartre Cambridge, Ontario * Do be do be do -- Sinatra (http://www.sentex.net/~mdtancsa) *