[347] in RedHat Linux List
[linux-alert] URGENT: Bug in linux networking stack (fwd)
daemon@ATHENA.MIT.EDU (Robert Hart)
Tue Oct 22 06:52:59 1996
Date: Tue, 22 Oct 1996 20:52:56 +1000 (EST)
From: Robert Hart <hartr@interweft.com.au>
Reply-To: Robert Hart <iweft@ipax.com.au>
To: Red Hat <redhat-list@redhat.com>
Resent-From: redhat-list@redhat.com
People should I think look at this...just arrivced here and I am going
out to investigate now.
Robert Hart iweft@ipax.com.au
Voice: +61 (0)3 9735 3586
InterWeft, 35 Summit Road, Lilydale, Victoria 3140, Australia
IT, data and voice networking Consultancy
Strategic IT business planning
Internet planning, implementation, security and configuration
---------- Forwarded message ----------
Date: Mon, 21 Oct 1996 10:25:45 +0100
From: Alan Cox <alan@cymru.net>
To: linux-announce@stc06.ctd.ornl.gov
Cc: cert@cert.org, juphoff@tarsier.cv.nrao.edu
Subject: [linux-alert] URGENT: Bug in linux networking stack
There is a nasty bug whereby AIX, Digital Unix, Linux and possibly some
other systems can be brought down remotely by a suitably constructed
oversize packet. Unfortunately a bug in another well known PC operating
system means its easy to generate such packets.
** This bug is being actively exploited on the internet against all the
** mentioned systems. This fix should be considered essential as should
** other equivalent vendor fixes
The following Linux fix drops such faulty frames and will also be included
in 2.0.24
Alan Cox
[Patch also available from http://www.uk.linux.org/patches/]
--- ip_fragment.c.old Mon Sep 16 22:14:52 1996
+++ ip_fragment.c Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +466,18 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }
/*
* Determine the position of this fragment.
--
PLEASE read the Red Hat FAQ, Tips, HOWTO and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-HOWTO
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
