[13970] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: unused bit attack alert

daemon@ATHENA.MIT.EDU (Vern Paxson)
Tue Feb 22 22:05:57 2000

Message-Id:  <200002212236.OAA01744@daffy.ee.lbl.gov>
Date:         Mon, 21 Feb 2000 14:36:17 PST
Reply-To: Vern Paxson <vern@EE.LBL.GOV>
From: Vern Paxson <vern@EE.LBL.GOV>
X-To:         LigerTeam <ligerteam@hotmail.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  Your message of Mon, 21 Feb 2000 07:43:54 PST.

> LigerTeam, strongly propose inserting of
> solution code before the computing of flag
> variable.
>
>   flag = flags & 0x3f;

The more robust fix is to systematically test for TCP flags by masking
to the value being tested.  For example:

	#define TEST_FLAGS(flags, mask) (((flags) & (mask)) == (mask))

Otherwise you are still vulnerable to attackers setting legitimate flags
in bogus combinations, such as adding URG to a SYN.

		Vern


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[13970] in bugtraq

Re: unused bit attack alert

daemon@ATHENA.MIT.EDU (Vern Paxson)Tue Feb 22 22:05:57 2000

daemon@ATHENA.MIT.EDU (Vern Paxson)
Tue Feb 22 22:05:57 2000