[ale] [linux-alert] URGENT: Bug in linux networking stack (fwd)
Rob Orr
rjo at cc.gatech.edu
Mon Oct 21 19:54:46 EDT 1996
Sorry if people have seen this before but I thought it was
important that it be seen.
-Robert J. Orr (rjo at cc.gatech.edu)
---------- Forwarded message ----------
Date: Mon, 21 Oct 1996 10:25:45 +0100
From: Alan Cox <alan at cymru.net>
To: linux-announce at stc06.ctd.ornl.gov
Cc: cert at cert.org, juphoff at tarsier.cv.nrao.edu
Subject: [linux-alert] URGENT: Bug in linux networking stack
There is a nasty bug whereby AIX, Digital Unix, Linux and possibly some
other systems can be brought down remotely by a suitably constructed
oversize packet. Unfortunately a bug in another well known PC operating
system means its easy to generate such packets.
** This bug is being actively exploited on the internet against all the
** mentioned systems. This fix should be considered essential as should
** other equivalent vendor fixes
The following Linux fix drops such faulty frames and will also be included
in 2.0.24
Alan Cox
[Patch also available from http://www.uk.linux.org/patches/]
--- ip_fragment.c.old Mon Sep 16 22:14:52 1996
+++ ip_fragment.c Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +466,18 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }
/*
* Determine the position of this fragment.
More information about the Ale
mailing list