[Prev][Next][Index][Thread]
Re: *** Major bug in Linux ***
David Brauman <crisk@netvision.net.il> wrote:
>
> Well it seems the Linux has this major bug in its networking code..
> I've had my computer remotely REBOOTED 3 times.
>
> I've been told it is caused by sending invalid packets longer than
> the maximum valid IP size (16 bit length). I've also been told that 2.0.23
> is immune to this, but when I tried it (certain people on IRC tried it on
> me, to be exact) the computer got stuck. Dead stuck.
It will be in 2.0.24. Meantime (at your own risk),
--- linux/net/ipv4/ip_fragment.c Wed Aug 7 07:00:08 1996
+++ linux-fdt/net/ipv4/ip_fragment.c Sat Oct 19 20:33:42 1996
@@ -47,6 +47,8 @@
atomic_t ip_frag_mem = 0; /* Memory used for fragments */
+char *in_ntoa(unsigned long in);
+
/*
* Memory Tracking Functions
*/
@@ -366,7 +368,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +468,19 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ printk("Oversized packet received from %s\n",in_ntoa(qp->iph->saddr));
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }
/*
* Determine the position of this fragment.
(was sent to LINUX-SERVER)
Evgeny
--
____________________________________________________________
/ Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> \
/ Plasma Laboratory, Weizmann Institute of Science, Israel \ \
| Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
| URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
| Finger for PGP key >=====================================+ |
|______________________________________________________________|
References: