> Can someone explain to me how teardrop attack works. It's a pointer arithmatic problem triggered by the receipt of overlapping IP fragments. Essentially, on vulnerable kernels, if you send two fragments of an IP packet that overlap, and the second fragment does not contain enough data to align properly, the system will compute a "length" variable that is less than zero, and then pass it directly to memcpy() as a count of bytes to copy from the fragment. The "count" argument to memcpy() is unsigned, meaning that the number "-1" is actually a very large positive number, and the resulting copy operation causes the system to crash. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:25 PDT