Subject: kern/1030: bug in ipintr() in dealing with fragmented IP packets.
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: Darren Reed <darrenr@vitruvius.arbld.unimelb.EDU.AU>
List: netbsd-bugs
Date: 05/07/1995 06:35:02
>Number: 1030
>Category: kern
>Synopsis: ipintr() will process too small IP fragments
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun May 7 06:35:01 1995
>Originator: Darren Reed
>Organization:
University of Melbourne
>Release: NetBSD-current
>Environment:
Sun IPC, NetBSD
System: NetBSD candella.arbld.unimelb.edu.au 1.0A NetBSD 1.0A (1.0A) #4: Mon Feb 20 18:33:28 EST 1995 root@:/usr/src/sys/arch/sparc/compile/1.0A sparc
>Description:
If NetBSD receives an IP packet of length less than 28 which is a fragment
and it isn't the last fragment (IP_MF is set) it will continue to process
this fragment and not generate any errors. RFC 791, section 2.3, page 8
outlines a description which is discussed further. Whilst NetBSD won't
generate such fragments (due to a small MTU) easily, a malicious person
can generate them. Also, NetBSD will, upon receipt of such a small fragment
hold onto it until other fragments arrive and attempt reassembly. It is an
obscure and most definately rare case, but quite possible.
>How-To-Repeat:
>Fix:
This patch causes ipintr() to discard packets which are fragments but
which are too small to be a valid IP fragment.
*** ip_input.c.orig Sun May 7 23:02:09 1995
--- ip_input.c Sun May 7 23:03:07 1995
***************
*** 200,206 ****
* Convert fields to host representation.
*/
NTOHS(ip->ip_len);
! if (ip->ip_len < hlen) {
ipstat.ips_badlen++;
goto bad;
}
--- 200,206 ----
* Convert fields to host representation.
*/
NTOHS(ip->ip_len);
! if (ip->ip_len < hlen || (ip->ip_off & IP_MF && ip->ip_len < 28)) {
ipstat.ips_badlen++;
goto bad;
}
>Audit-Trail:
>Unformatted: