Subject: kern/2296: some icmp destination unreachable packets contain garbage
To: None <gnats-bugs@NetBSD.ORG>
From: Laine Stump <laine@MorningStar.Com>
List: netbsd-bugs
Date: 04/03/1996 22:06:07
>Number: 2296
>Category: kern
>Synopsis: some icmp destination unreachable packets contain garbage
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Apr 3 17:35:01 1996
>Last-Modified:
>Originator: Laine Stump
>Organization:
Ascend Communications
>Release: 1.1
>Environment:
System: NetBSD tubeworm 1.1 NetBSD 1.1 (GENERICMST) #0: Wed Mar 13 00:14:05 EST 1996 laine@tubeworm:/usr/src/sys/arch/i386/compile/GENERICMST i386
>Description:
When ip_forward() generates an icmp destination unreachable packet, it
always includes the entire IP header of the offending packet plus the
following 8 bytes in the reply. The longest such offending header
would then be 0x0f * 4 = 60 bytes, plus the following 8 bytes,
resulting in a 68 byte payload. Unfortunately, ip_input() only saves the
first 64 bytes of potentially offensive packets when it calls m_copy()
in /usr/src/sys/netinet/ip_input.c. The remaining 4 bytes will be filled
with garbage.
>How-To-Repeat:
Send a packet with 40 bytes of IP options to a NetBSD machine on a
port that will elicit an icmp destination unreachable. The reply will
contain 4 garbage characters.
>Fix:
Call m_copy with a length of 68 instead of 64.
ADDITIONAL NOTE:
The following line from icmp_error() in ip_icmp.c displays obviously
wrong thinking. The oip->ip_len field will never be smaller than 20.
icmplen = oiplen + min(8, oip->ip_len);
>Audit-Trail:
>Unformatted: