[7207] in bugtraq
DoS: ANS Interlock Firewall
daemon@ATHENA.MIT.EDU (Chris A. Henesy)
Thu Jul 9 17:35:56 1998
Date: Thu, 9 Jul 1998 15:51:14 -0400
Reply-To: "Chris A. Henesy" <lurker@CC.GATECH.EDU>
From: "Chris A. Henesy" <lurker@CC.GATECH.EDU>
To: BUGTRAQ@NETSPACE.ORG
This may be repeated information but a quick search of the
archives didn't turn anything up, so here goes...
There is a problem in the TCP/IP stack of ANS's Interlock Internet
Firewall product. Sending the correct series of packet fragments will
cause the machine to reboot. Bellow is part of a problem description
provided by ANS. A patch is available.
>The 1st fragment contains all (or most) of the packets payload and it
>incorrectly indicates that no other fragments are coming (the IP
>more fragment field is not set). The next fragment is sent with a
>zero length and uses the same packet identifier (indicating its
>another part of the earlier packet). This packet also does not
>indicate that more fragments are coming. The result is a zero length
>fragment arrives at the InterLock and gets processed by the Solaris
>fragment handling code. Unfortunately, the Solaris fragment timeout
>handling code (which gets involved 60 seconds later) doesnt properly
>handle the zero length fragment and its panics the box during cleanup.
-The Lurker
