[Prev][Next][Index][Thread]
Re: *** Major bug in Linux ***
On Sun, 20 Oct 1996, David Brauman wrote:
>Well it seems the Linux has this major bug in its networking code..
>I've had my computer remotely REBOOTED 3 times.
>I've been told it is caused by sending invalid packets longer than
>the maximum valid IP size (16 bit length). I've also been told that 2.0.23
>is immune to this, but when I tried it (certain people on IRC tried it on
>me, to be exact) the computer got stuck. Dead stuck.
>
>Any patch for this ??? :) I really don't feel like delving into the kernel
Maybe this is it.
I kept the headers: BUGTRAQ is a mailing list worth following.
alex
---------------------------
>From usa@win95.com Sun Oct 20 20:22:09 1996
Date: Sat, 19 Oct 1996 18:43:39 +0200
From: Jake the Prince <usa@win95.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: BoS: Urgent !! Serious Linux Security Bug....
Resent-Date: Sun, 20 Oct 1996 07:28:16 +1000
Resent-From: best-of-security@suburbia.net
Hi,
Today we saw an email from Linus Torvalds advising of a problem
with Linux and ping. Basically you can reboot a linux box remotely if
some scenario's are right. From what we can tell and this has all been
verified is: If anyone in the world with a Windows 95 machine can ping
your
Linux box they can potentially reboot that machine.. Hence a serious
denial of service OR loss of data.
Scenario:
Win95 user types 'ping -l 65510 host.running.linux'.
Result:
That machine reboots OR freezes.
On the Linux machine, you need to be running kernel version 2.0.7(It's
the
lowest we run) up to version 2.0.20(The highest we're running).
With ping you can use value 65508-65527.
We have extensively tested both of these.
I'm sure there are thousands of Linux systems that could be affected.
There IS a BETA patch out and it DOES work.. If you don't have that
patch
code as of yet, it's attached.
Cyaz
Jake The Prince
PS..... Thanks to whoever found this serious bug...
-
/-----------------------------------------------------------\
| I have just one \|/ ____ \|/ |
| thing to say... ~@-/ oO \-@~ Neener, neener, neener. |
| /_( \__/ )_\ |
| \__U_/ |
| |
| -*- Opp -*- (usa@win95.com) -*- USA_Direkt -*- |
\-----------------------------------------------------------/
[Part 2, Text/PLAIN 33 lines]
[Unable to print this part]
--- ip_fragment.c.old Mon Sep 16 22:14:52 1996
+++ ip_fragment.c Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +466,18 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }
/*
* Determine the position of this fragment.
--
References: