Date: Tue, 6 Oct 1998 12:47:18 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Michael Richards <026809r@dragon.acadiau.ca> Cc: security@FreeBSD.ORG Subject: Re: Large packets? Message-ID: <Pine.BSF.3.96.981006124233.15295M-100000@fledge.watson.org> In-Reply-To: <199810061502.MAA01110@dragon.acadiau.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 Oct 1998, Michael Richards wrote: > I have been following the discussion of negative IP addresses. Correct me if > I am wrong, but isn't the largest possible packet 64K even after it's been > re-assembled? In theory. :) The maximum size of an IP packet is indeed 64k, but some implementations don't check that the fragments being reassembled actually add up to the correct length, so they just past the fragments one after another, off the end of the buffer, onto the floor. Or rather, onto other pieces of memory resulting in corruption. My speculation about the negative number being associated with size was based on this -- that perhaps some careless programmer had accidentally used a signed short for the size in their code, rather than an unsigned short. Then any check against the size field in the form if (size < somesize) would behave incorrectly, because large packet sizes would be interpretted as small ones. Darren has suggested that I am confusing this with another attack, and that is entirely possible. :) The are an awful lot of mistakes an IP stack programmer can make :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981006124233.15295M-100000>