[12947] in bugtraq
Re: Big problem on 2.0.x?
daemon@ATHENA.MIT.EDU (Stephen White)
Mon Dec 13 17:12:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991211172233.A26311@marvin.foo>
Date: Sat, 11 Dec 1999 17:22:34 +0000
Reply-To: Stephen White <swhite@OX.COMPSOC.NET>
From: Stephen White <swhite@OX.COMPSOC.NET>
X-To: Bugtraq List <BUGTRAQ@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Mike Ireton wrote:
> > i found that when u do a ping -s 65468 -R ANYIPADDRESS ( -R record
> > route) the system starts to print on the screen kernel dumps
> > , freezes complitely and after few secconds the system reboots.
This can be 'fixed' (okay kludged around) by altering the
#define MAXPACKET (65536 - 60 - 8)/* max packet size */
line in ping.c
I've reduced it to 32K (32768) on my Linux 2.0.36 box, since that should
avoid all possible problems (air on the side of caution and all that). I
don't see users having any reason to need such large ping packets anyway
(other than for the purpose of local or remote exploits).
For those using RedHat 5.2 I've made an SRPM and .i368 RPM containing my
new ping and they are avaiable via annon. ftp at
ftp://ox.compsoc.net/users/swhite/ping/
You'll need to install with --force since the package reports the same
version as the normal redhat5.2 one so RPM thinks it's already
installed.
It has also been suggested that ping could be patched to make '-s' only
available to root (like '-l' is), as an alternative solution. I haven't
tried this but it should be a fairly simple modification.
Neither of these address the real problem in the kernel, but they do
mean that sysadmins can go on allowing users to run ping without the
worry of quite such a trivial DoS.
The same problem does not appear to occur in Linux 2.2, Windows 95 or
Solaris 2.7.
--
Stephen White OU Compsoc System Administration Team
<swhite@ox.compsoc.net> http://www.ox.compsoc.net/~swhite/
