diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-98:08.fragment.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-98:08.fragment.asc | 96 |
1 files changed, 0 insertions, 96 deletions
diff --git a/share/security/advisories/FreeBSD-SA-98:08.fragment.asc b/share/security/advisories/FreeBSD-SA-98:08.fragment.asc deleted file mode 100644 index 305840209e..0000000000 --- a/share/security/advisories/FreeBSD-SA-98:08.fragment.asc +++ /dev/null @@ -1,96 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-98:08 Security Advisory - FreeBSD, Inc. - -Topic: IP fragmentation denial of service - -Category: core -Module: kernel -Announced: 1998-11-04 -Affects: FreeBSD 3.0 and - FreeBSD-current before the correction date. -Corrected: FreeBSD-3.0 and FreeBSD-current as of 1998/10/27 -FreeBSD only: Yes - -Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:08/ - -I. Background - -IP connections are controlled through a series of packets that are -received by the two computers involved in the connection. -When packets are too large to be sent in a single IP packet (due to -interface hardware limitations for example), they can be fragmented -(unless prohibited by the Don't Fragment flag). -The final destination will reassemble all the fragments of an IP packet -and pass it to higher protocol layers (like TCP or UDP). - -II. Problem Description - -There is a bug in the IP fragment reassembly code that might lead -to a kernel panic. An attacker can create and send a pair of -malformed IP packets which are then reassembled into an invalid -UDP datagram. Such an UDP datagram would then cause a server to -panic and crash. - - -III. Impact - -When this bug is exploited the operating system will panic. This results -in a reboot of the system. -This vulnerability has been discussed in public security forums and -exploit programs are circulating to take advantage of this bug. - - -IV. Workaround - -None. - -V. Solution - - - Index: ip_input.c - =================================================================== - RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v - retrieving revision 1.102 - retrieving revision 1.103 - diff -u -u -r1.102 -r1.103 - --- ip_input.c 1998/10/16 03:55:01 1.102 - +++ ip_input.c 1998/10/27 09:11:41 1.103 - @@ -750,7 +750,7 @@ - * if they are completely covered, dequeue them. - */ - for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off; - - p = q, q = nq) { - + q = nq) { - i = (ip->ip_off + ip->ip_len) - - GETIP(q)->ip_off; - if (i < GETIP(q)->ip_len) { - -============================================================================= -FreeBSD, Inc. - -Web Site: http://www.freebsd.org/ -Confidential contacts: security-officer@freebsd.org -Security notifications: security-notifications@freebsd.org -Security public discussion: freebsd-security@freebsd.org -PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc - -Notice: Any patches in this document may not apply cleanly due to - modifications caused by digital signature or mailer software. - Please reference the URL listed at the top of this document - for original copies of all patches if necessary. -============================================================================= - - ------BEGIN PGP SIGNATURE----- -Version: 2.6.3ia -Charset: noconv - -iQCVAwUBNkCrf1UuHi5z0oilAQE0GgQAga3x91fd4QU8/vXKkPp8h2hUmHifhdIc -K4PynSKtqP8IQFzMzGApMU5MLCV2s6cXLj2cznAuCcHiF6xWsTIf1JoqgtaYZaTS -pBtW9Dxp+5OYlVnGHfijUbO8sop2PpAqaBpVv2CnxYvFz3sMbM8z1H7wkWEHvL7Z -MHXYAJ2Apfk= -=fOyn ------END PGP SIGNATURE----- |