Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux 2.0.33 vulnerability: oversized packets

From: jlewis () inorganic5 fdt net (Jon Lewis)
Date: Tue, 21 Apr 1998 01:34:52 -0400

On Fri, 17 Apr 1998, Michal Zalewski wrote:


I'm not sure if it's known, but I haven't found anything about it.
No matter, there's something strange in net/ipv4/ip_fragment.h (it's
probably Alan's fault):

if(len>65535)
{
        printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));


Actually, I think I have to take credit for that.  I don't remember if the
original (Alan's) patch printk'd at all (I don't think it did)...but I
know I was the one who wanted to see claimed source addresses.  Belive it
or not, I caught one of our own users trying to crash our mail server
about an hour after adding the fix with the printk.  Can you say luserdel?

Rather than use NETDEBUG to totally disable the printk, I think it might
be more useful to put in some code to limit frequency of reporting...sort
of like Solar Designer's secure-linux patch's security_alert() function
does.

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |
 Network Administrator       |
 Florida Digital Turnpike    |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Previous By Date Next
Previous By Thread Next

Current thread: