Bugtraq mailing list archives

Re: The overlapping fragment bug


From: route () RESENTMENT INFONEXUS COM (G P R)
Date: Sat, 15 Nov 1997 19:25:50 -0800


[Philippe Strauss]

| Waht about the (over?) simple fix found in Linus's pre-patch-2.0.32-4.gz.maybe
| on funet? (ftp.kernel.org is down, coincidence :-/
|

    The only problem with that one line fix (as compared to the patch I
    released with the initial posting) is the fact that it catches the bug
    after the offending fragment has been stored in the reassembly queue.
    It discovers the problem when it attempts to reassemble the original
    IP datagram.

    My patch catches the fragment before it is ever added to the queue, and
    invalidates the entire fragment list, freeing the entire list at that
    point.

    One good point Alan Cox brought up is the fact that the printk() could
    consume a serious amount system resources if the attacker decided to
    send a storm of such packets (and your linux machine is on a fast link).
    Either remove it, or use solar designers security_alert() macro (or
    something similar) to limit the frequency identical error messages will
    be dumped.  This macro can be found in his stack execution and symlink
    patch kit.

--
[ guild | phrack | r00t ]



Current thread: