[6557] in bugtraq
Re: Linux 2.0.33 vulnerability: oversized packets
daemon@ATHENA.MIT.EDU (Jon Lewis)
Tue Apr 21 15:48:30 1998
Date: Tue, 21 Apr 1998 01:34:52 -0400
Reply-To: Jon Lewis <jlewis@inorganic5.fdt.net>
From: Jon Lewis <jlewis@INORGANIC5.FDT.NET>
X-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980417171203.211A-200000@genome>
On Fri, 17 Apr 1998, Michal Zalewski wrote:
> I'm not sure if it's known, but I haven't found anything about it.
> No matter, there's something strange in net/ipv4/ip_fragment.h (it's
> probably Alan's fault):
>
> if(len>65535)
> {
> printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
Actually, I think I have to take credit for that. I don't remember if the
original (Alan's) patch printk'd at all (I don't think it did)...but I
know I was the one who wanted to see claimed source addresses. Belive it
or not, I caught one of our own users trying to crash our mail server
about an hour after adding the fix with the printk. Can you say luserdel?
Rather than use NETDEBUG to totally disable the printk, I think it might
be more useful to put in some code to limit frequency of reporting...sort
of like Solar Designer's secure-linux patch's security_alert() function
does.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> |
Network Administrator |
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
