[6527] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Linux 2.0.33 vulnerability: fragment patterns

daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Apr 16 13:19:43 1998

Date: 	Thu, 16 Apr 1998 15:09:56 +0100
Reply-To: Alan Cox <alan@CYMRU.NET>
From: Alan Cox <alan@CYMRU.NET>
To: BUGTRAQ@NETSPACE.ORG

Ok duplicated. There's an 'off by one IP header' bug

--- ip_fragment.c.old   Thu Apr 16 12:25:34 1998
+++ ip_fragment.c       Thu Apr 16 12:29:02 1998
@@ -375,7 +375,7 @@
        fp = qp->fragments;
        while(fp != NULL)
        {
-               if (fp->len < 0 || count+fp->len > skb->len)
+               if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
                        ip_free(qp);


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[6527] in bugtraq

Linux 2.0.33 vulnerability: fragment patterns

daemon@ATHENA.MIT.EDU (Alan Cox)Thu Apr 16 13:19:43 1998

daemon@ATHENA.MIT.EDU (Alan Cox)
Thu Apr 16 13:19:43 1998