Hi again,
Thanks goes to Markus Peuhkuri for pointing out that the minimum length
of an IP packet is actually 20 bytes, (I'm useless w/o a copy of TCP/IP
Illustrated in front of me), anyway, here is a final patch, also don't
forget to run tcpdump with the -v parameter if you want to see the source
address of the offensive packet.
Are the guys at LBL reading bugtraq? (tcpdump on ftp.ee.lbl.gov isn't
updated yet...)
maybe they don't think it's a bug since routers drop the packet anyway,
how aobut attacking machines which run tcpdump locally on the LAN?
*** print-ip.orig.c Thu Jun 17 11:24:17 1999
--- print-ip.c Sun Jun 20 11:04:20 1999
*************** ip_print(register const u_char *bp, regi
*** 440,445 ****
--- 440,451 ----
(void)printf("%s > %s: ",
ipaddr_string(&ip->ip_src),
ipaddr_string(&ip->ip_dst));
+
+ if (ip->ip_hl < 5) {
+ (void)printf("Bad ip-in-ip encapsulation (hl < 5) Possible attack!");
+ return;
+ }
+
ip_print(cp, len);
if (! vflag) {
printf(" (ipip)");
Cheers.
-------------------------------------------------------------------------------
"Probably you've only really grown up, when you can bear not being understood."
Marian Gold /Alphaville
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:05 PDT