[Prev][Next][Index][Thread]

Re: *** Major bug in Linux ***



David Brauman <crisk@netvision.net.il> wrote:
>  
>  Well it seems the Linux has this major bug in its networking code..
>  I've had my computer remotely REBOOTED 3 times. 
>  
>  I've been told it is caused by sending invalid packets longer than 
>  the maximum valid IP size (16 bit length). I've also been told that 2.0.23
>  is immune to this, but when I tried it (certain people on IRC tried it on
>  me, to be exact) the computer got stuck. Dead stuck. 

It will be in 2.0.24. Meantime (at your own risk),

--- linux/net/ipv4/ip_fragment.c        Wed Aug  7 07:00:08 1996
+++ linux-fdt/net/ipv4/ip_fragment.c    Sat Oct 19 20:33:42 1996
@@ -47,6 +47,8 @@

 atomic_t ip_frag_mem = 0;                      /* Memory used for fragments */

+char *in_ntoa(unsigned long in);
+
 /*
  *     Memory Tracking Functions
  */
@@ -366,7 +368,7 @@
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
                        ip_free(qp);
-                       frag_kfree_skb(skb,FREE_WRITE);
+                       kfree_skb(skb,FREE_WRITE);
                        ip_statistics.IpReasmFails++;
                        return NULL;
                }
@@ -466,6 +468,19 @@
                        return NULL;
                }
        }
+
+       /*
+        *      Attempt to construct an oversize packet.
+        */
+
+       if(ntohs(iph->tot_len)+(int)offset>65535)
+       {
+               skb->sk = NULL;
+               printk("Oversized packet received from %s\n",in_ntoa(qp->iph->saddr));
+               frag_kfree_skb(skb, FREE_READ);
+               ip_statistics.IpReasmFails++;
+               return NULL;
+       }

        /*
         *      Determine the position of this fragment.

(was sent to LINUX-SERVER)

Evgeny


--
   ____________________________________________________________
  / Evgeny Stambulchik  <fnevgeny@plasma-gate.weizmann.ac.il>  \
 /  Plasma Laboratory, Weizmann Institute of Science, Israel \  \
 |  Phone : (972)8-934-3610  == | == FAX   : (972)8-934-3491 |  |
 |  URL   :    http://plasma-gate.weizmann.ac.il/~fnevgeny/  |  |
 |  Finger for PGP key >=====================================+  | 
 |______________________________________________________________| 


References: