Date: Tue, 6 Oct 1998 09:52:35 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Jan B. Koum " <jkb@best.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Negative IP Packets - Risky? (fwd) Message-ID: <Pine.BSF.3.96.981006094756.15295H-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.02A.9810060054010.651-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
My feeling is he is referring to the IP stack corruption issue where some stacks treat the packet size field as a 'signed' value instead of an 'unsigned' value, and hence the field can be a 'negative IP packet'. Maybe it was a different field in the header, but I think you get the gyst. Not to spoil Jordan's comic overtures, mind you... :) I thought that at one point someone mentioned an IP stack sensitive to this on bugtraq, but I really don't recall. It might have gone something like this: you could overflow the buffer for an IP packet by setting the packet size large enough that a later size comparison routine that used that size in a signed form never evaluated true, so the fragments could be reassembled past the end of the buffer into other memory, resulting in corruption, and eventually (or shortly) a crash. Needless to say, the vendor of the IP stack screwed up, and it should be fixed, as large packet sizes should not be a problem, and may be used by some protocols. I could be wrong on the description, of course, and it could be something else about a depressed IP stack generating anti-Internet sentiments... (bows out to Jordan and the negative Californian packets..) On Tue, 6 Oct 1998, Jan B. Koum wrote: > > Am I the only one here who upon reading this goes "Huh?" > > OTOH, firewall-wizards is moderated by Marcus Ranum who does not > let just "any" mail through. In that case: what are negative IP packets?! > > -- Yan > > I don't have the password .... + Jan Koum > But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. > So if you've got the time .... | Web: http://www.best.com/~jkb > Set the tone to sync ......... + OS: http://www.FreeBSD.org > > ---------- Forwarded message ---------- > Date: Mon, 05 Oct 1998 20:11:17 +0100 > From: James Rowley <james.rowley@edin.uk.sykes.com> > To: "'firewall-wizards@nfr.com'" <firewall-wizards@nfr.net> > Subject: Negative IP Packets - Risky? > > By sending negative IP packets to a network, you can crash the server. > > Is anyone else aware of this & possible precautions that one can take? > > sincerely, > > James Rowley - Eudemonic Solutions, Edinburgh, SCOTLAND > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981006094756.15295H-100000>