[12953] in bugtraq
Re: Big problem on 2.0.x?
daemon@ATHENA.MIT.EDU (Jason Mills)
Tue Dec 14 11:51:59 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912131539410.6290-100000@inetarena.com>
Date: Mon, 13 Dec 1999 15:44:22 -0800
Reply-To: Jason Mills <jason@INETARENA.COM>
From: Jason Mills <jason@INETARENA.COM>
X-To: Stephen White <swhite@OX.COMPSOC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991211172233.A26311@marvin.foo>
heres a simple patch for the -s stuff just using the same method as with
-l :)
--- netkit-base-0.10/ping/ping.c.orig Mon Dec 13 15:33:56 1999
+++ netkit-base-0.10/ping/ping.c Mon Dec 13 15:34:15 1999
@@ -302,6 +302,11 @@
options |= F_SO_DONTROUTE;
break;
case 's': /* size of packet to send */
+ if (!am_i_root) {
+ (void)fprintf(stderr,
+ "ping: %s\n", strerror(EPERM));
+ exit(2);
+ }
datalen = atoi(optarg);
if (datalen > MAXPACKET) {
(void)fprintf(stderr,
-------------------------------------
On Sat, 11 Dec 1999, Stephen White wrote:
> Mike Ireton wrote:
> > > i found that when u do a ping -s 65468 -R ANYIPADDRESS ( -R record
> > > route) the system starts to print on the screen kernel dumps
> > > , freezes complitely and after few secconds the system reboots.
>
> This can be 'fixed' (okay kludged around) by altering the
>
> #define MAXPACKET (65536 - 60 - 8)/* max packet size */
>
> line in ping.c
>
> I've reduced it to 32K (32768) on my Linux 2.0.36 box, since that should
> avoid all possible problems (air on the side of caution and all that). I
> don't see users having any reason to need such large ping packets anyway
> (other than for the purpose of local or remote exploits).
>
> For those using RedHat 5.2 I've made an SRPM and .i368 RPM containing my
> new ping and they are avaiable via annon. ftp at
>
> ftp://ox.compsoc.net/users/swhite/ping/
>
> You'll need to install with --force since the package reports the same
> version as the normal redhat5.2 one so RPM thinks it's already
> installed.
>
> It has also been suggested that ping could be patched to make '-s' only
> available to root (like '-l' is), as an alternative solution. I haven't
> tried this but it should be a fairly simple modification.
>
> Neither of these address the real problem in the kernel, but they do
> mean that sysadmins can go on allowing users to run ping without the
> worry of quite such a trivial DoS.
>
> The same problem does not appear to occur in Linux 2.2, Windows 95 or
> Solaris 2.7.
>
> --
> Stephen White OU Compsoc System Administration Team
> <swhite@ox.compsoc.net> http://www.ox.compsoc.net/~swhite/
>
