[7981] in bugtraq
Re: Incorrect Linux ARP behavior
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Sep 19 18:34:38 1998
Date: Fri, 18 Sep 1998 22:24:16 -0400
Reply-To: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: Seth McGann <smm@wpi.edu>
To: BUGTRAQ@NETSPACE.ORG
In message <199809190014.UAA29225@acestes-fe0.ultra.net>, Seth McGann writes:
>After further investigation it appears neped.c (the Linux sniffer detector
>by savage@apostols.org ) operates due to a problem in
>/linux/net/ipv4/arp.c. The function arp_rcv() controls when to send ARP
>responses. The criteria for sending these responses is flawed, in that it
>will respond to ARP requests regardless of the destination MAC address.
>Normally only frames with a station's MAC address are processed so this is
>not a problem. In promiscuous mode, all frames are processed, and without
>checking the destination MAC address there is no way to discern if the
>packet was really bound for listening station. To fix this problem all
>that needs to be done is add the following check (pseudo code):
>
>if(ether_header_destination != device_hardware_address) return;
Umm -- that would be a serious mistake... ARP queries are "generally"
sent to the MAC broadcast address, precisely because the sender doesn't
know the MAC address of the intended recipient.
