Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Linux 2.0.33 vulnerability: fragment patterns

Linux 2.0.33 vulnerability: fragment patterns

Alan Cox (alanCYMRU.NET)
Thu, 16 Apr 1998 15:09:56 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thomas Roessler: "xdm problems"
Previous message: Alan Cox: "Re: New possible exploit for 2.0.33 (kfree_skb error)"
Next in thread: Michal Zalewski: "Linux 2.0.33 vulnerability: oversized packets"

Ok duplicated. There's an 'off by one IP header' bug

--- ip_fragment.c.old   Thu Apr 16 12:25:34 1998
+++ ip_fragment.c       Thu Apr 16 12:29:02 1998
 -375,7 +375,7 
        fp = qp->fragments;
        while(fp != NULL)
        {
-               if (fp->len < 0 || count+fp->len > skb->len)
+               if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
                        ip_free(qp);

Next message: Thomas Roessler: "xdm problems"
Previous message: Alan Cox: "Re: New possible exploit for 2.0.33 (kfree_skb error)"
Next in thread: Michal Zalewski: "Linux 2.0.33 vulnerability: oversized packets"