[5626] in bugtraq
Re: The overlapping fragment bug
daemon@ATHENA.MIT.EDU (Philippe Strauss)
Sat Nov 15 21:24:21 1997
Date: Fri, 14 Nov 1997 21:34:42 +0100
Reply-To: Philippe Strauss <philou@LILI.URBANET.CH>
From: Philippe Strauss <philou@LILI.URBANET.CH>
X-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <m0xWRoY-0005FtC@lightning.swansea.linux.org.uk>; from Alan Cox
on Fri, Nov 14, 1997 at 07:54:00PM +0000
On Nov 14, Alan Cox wrote:
> Well after some testing its quite effective against Linux [fix
> available and will be in 2.0.32 as standard], NT, 95, Win 3.11
> and also a couple of others it seems - DOS Novell TCP/IP and
> PCNFS 4.0 (reportedly). BSD derived stacks, various routers, Solaris
> MacOS and HP/UX all seem fine.
Waht about the (over?) simple fix found in Linus's pre-patch-2.0.32-4.gz.maybe
on funet? (ftp.kernel.org is down, coincidence :-/
diff -u --recursive --new-file v2.0.31/linux/net/ipv4/ip_fragment.c linux/net/ip
v4/ip_fragment.c
--- v2.0.31/linux/net/ipv4/ip_fragment.c Tue Aug 12 11:30:25 1997
+++ linux/net/ipv4/ip_fragment.c Thu Nov 13 05:58:30 1997
@@ -375,7 +375,7 @@
fp = qp->fragments;
while(fp != NULL)
{
- if(count+fp->len > skb->len)
+ if (fp->len < 0 || count+fp->len > skb->len)
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
Cheers.
> The actual exploit can also be slightly improved. Make it a tcp frame,
> make the destination port 80 and it goes through most firewalls like
> a bullet through cheese and seems to keep its effectiveness.
>
> You can screen the stuff behind a firewall if your firewall reassembles
> fragments (and is of course itself not vulnerable 8)).
>
> Any news on the microsoft fix expected date/times ?
>
> Alan
--
Philippe Strauss
home email/finger address: <philou@lili.urbanet.ch>
finger for PGP key
Never insult an alligator until you've crossed the river.
--
