From owner-freebsd-security Tue Oct 6 06:52:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA18607 for freebsd-security-outgoing; Tue, 6 Oct 1998 06:52:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA18592 for ; Tue, 6 Oct 1998 06:52:43 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA26494; Tue, 6 Oct 1998 09:52:35 -0400 (EDT) Date: Tue, 6 Oct 1998 09:52:35 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jan B. Koum " cc: freebsd-security@FreeBSD.ORG Subject: Re: Negative IP Packets - Risky? (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My feeling is he is referring to the IP stack corruption issue where some stacks treat the packet size field as a 'signed' value instead of an 'unsigned' value, and hence the field can be a 'negative IP packet'. Maybe it was a different field in the header, but I think you get the gyst. Not to spoil Jordan's comic overtures, mind you... :) I thought that at one point someone mentioned an IP stack sensitive to this on bugtraq, but I really don't recall. It might have gone something like this: you could overflow the buffer for an IP packet by setting the packet size large enough that a later size comparison routine that used that size in a signed form never evaluated true, so the fragments could be reassembled past the end of the buffer into other memory, resulting in corruption, and eventually (or shortly) a crash. Needless to say, the vendor of the IP stack screwed up, and it should be fixed, as large packet sizes should not be a problem, and may be used by some protocols. I could be wrong on the description, of course, and it could be something else about a depressed IP stack generating anti-Internet sentiments... (bows out to Jordan and the negative Californian packets..) On Tue, 6 Oct 1998, Jan B. Koum wrote: > > Am I the only one here who upon reading this goes "Huh?" > > OTOH, firewall-wizards is moderated by Marcus Ranum who does not > let just "any" mail through. In that case: what are negative IP packets?! > > -- Yan > > I don't have the password .... + Jan Koum > But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. > So if you've got the time .... | Web: http://www.best.com/~jkb > Set the tone to sync ......... + OS: http://www.FreeBSD.org > > ---------- Forwarded message ---------- > Date: Mon, 05 Oct 1998 20:11:17 +0100 > From: James Rowley > To: "'firewall-wizards@nfr.com'" > Subject: Negative IP Packets - Risky? > > By sending negative IP packets to a network, you can crash the server. > > Is anyone else aware of this & possible precautions that one can take? > > sincerely, > > James Rowley - Eudemonic Solutions, Edinburgh, SCOTLAND > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message