Bugtraq mailing list archives

Re: The overlapping fragment bug

From: philou () LILI URBANET CH (Philippe Strauss)
Date: Fri, 14 Nov 1997 21:34:42 +0100


On Nov 14, Alan Cox wrote:

Well after some testing its quite effective against Linux [fix
available and will be in 2.0.32 as standard], NT, 95, Win 3.11
and also a couple of others it seems - DOS Novell TCP/IP and
PCNFS 4.0 (reportedly). BSD derived stacks, various routers, Solaris
MacOS and HP/UX all seem fine.


Waht about the (over?) simple fix found in Linus's pre-patch-2.0.32-4.gz.maybe
on funet? (ftp.kernel.org is down, coincidence :-/

diff -u --recursive --new-file v2.0.31/linux/net/ipv4/ip_fragment.c linux/net/ip
v4/ip_fragment.c
--- v2.0.31/linux/net/ipv4/ip_fragment.c        Tue Aug 12 11:30:25 1997
+++ linux/net/ipv4/ip_fragment.c        Thu Nov 13 05:58:30 1997
@@ -375,7 +375,7 @@
        fp = qp->fragments;
        while(fp != NULL)
        {
-               if(count+fp->len > skb->len)
+               if (fp->len < 0 || count+fp->len > skb->len)
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
                        ip_free(qp);

Cheers.

The actual exploit can also be slightly improved. Make it a tcp frame,
make the destination port 80 and it goes through most firewalls like
a bullet through cheese and seems to keep its effectiveness.

You can screen the stuff behind a firewall if your firewall reassembles
fragments (and is of course itself not vulnerable 8)).

Any news on the microsoft fix expected date/times ?

Alan


--
Philippe Strauss
home email/finger address: <philou () lili urbanet ch>
finger for PGP key

Never insult an alligator until you've crossed the river.
--

Current thread:

Re: What to do when you forget your cisco LD password..., (continued)
- - - Re: What to do when you forget your cisco LD password... John Bashinski (Nov 14)
    - Re: Safe /tmp cleanup Erik Troan (Nov 13)
    - Linux IP fragment overlap bug G P R (Nov 13)
    - Re: Linux IP fragment overlap bug Alan Cox (Nov 14)
    - Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
    - Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)
    - Re: Linux IP fragment overlap bug Morbid Dead Guy (Nov 16)
    - Windows 95 IP Fragmentation Bug Fix? Aleph One (Nov 17)
    - The Linux patch. G P R (Nov 14)
    - The overlapping fragment bug Alan Cox (Nov 14)
    - Re: The overlapping fragment bug Philippe Strauss (Nov 14)
    - Re: The overlapping fragment bug G P R (Nov 15)
    - Pentium processor invalid instruction erratum Aleph One (Nov 14)
    - Software backgrounder Aleph One (Nov 14)
    - BSDI patch for Pentium workaround has problems Charles M. Hannum (Nov 14)
    - Re: L0pht Advisory: IE4.0 David LeBlanc (Nov 10)
    - Re: L0pht Advisory: IE4.0 rene () NS VIA NL (Nov 11)
    - Intel Pentium Bug: Workaround (1st lvl cache) Ralf Rudolph (Nov 11)