From owner-freebsd-security Tue Oct 6 11:02:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA05967 for freebsd-security-outgoing; Tue, 6 Oct 1998 11:02:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA05951 for ; Tue, 6 Oct 1998 11:02:48 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id LAA14207; Tue, 6 Oct 1998 11:59:49 -0600 (MDT) Message-Id: <4.1.19981006115624.04198290@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 06 Oct 1998 11:58:21 -0600 To: Robert Watson , Michael Richards <026809r@dragon.acadiau.ca> From: Brett Glass Subject: Re: Large packets? Cc: security@FreeBSD.ORG In-Reply-To: References: <199810061502.MAA01110@dragon.acadiau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:47 PM 10/6/98 -0400, Robert Watson wrote: >In theory. :) The maximum size of an IP packet is indeed 64k, but some >implementations don't check that the fragments being reassembled actually >add up to the correct length, so they just past the fragments one after >another, off the end of the buffer, onto the floor. Or rather, onto other >pieces of memory resulting in corruption. This is the "Ping of Death." The problem is that many developers, wanting their network code to be fast, aren't doing bounds checking on network buffers. Of course, ANYTHING you receive off the Net should be treated as highly suspicious. The code should be TOTALLY paranoid. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message