[5630] in bugtraq
Re: The overlapping fragment bug
daemon@ATHENA.MIT.EDU (G P R)
Sat Nov 15 23:29:28 1997
Date: Sat, 15 Nov 1997 19:25:50 -0800
Reply-To: route@RESENTMENT.INFONEXUS.COM
From: G P R <route@RESENTMENT.INFONEXUS.COM>
X-To: philou@LILI.URBANET.CH
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19971114213442.04080@lili> from "Philippe Strauss" at Nov 14,
97 09:34:42 pm
[Philippe Strauss]
| Waht about the (over?) simple fix found in Linus's pre-patch-2.0.32-4.gz.maybe
| on funet? (ftp.kernel.org is down, coincidence :-/
|
The only problem with that one line fix (as compared to the patch I
released with the initial posting) is the fact that it catches the bug
after the offending fragment has been stored in the reassembly queue.
It discovers the problem when it attempts to reassemble the original
IP datagram.
My patch catches the fragment before it is ever added to the queue, and
invalidates the entire fragment list, freeing the entire list at that
point.
One good point Alan Cox brought up is the fact that the printk() could
consume a serious amount system resources if the attacker decided to
send a storm of such packets (and your linux machine is on a fast link).
Either remove it, or use solar designers security_alert() macro (or
something similar) to limit the frequency identical error messages will
be dumped. This macro can be found in his stack execution and symlink
patch kit.
--
[ guild | phrack | r00t ]
