This is the patch as reported to bugtraq, except it doesn't drop
truncated UDP and TCP packets which *aren't* fragments. I remember
going over this code convincing myself that it was safe. How *&%!ing
embarrassing.
--- linux-2.2/net/ipv4/ip_fw.c.rusty-fucked-up Wed Jul 28 19:15:38 1999
+++ linux-2.2/net/ipv4/ip_fw.c Wed Jul 28 20:29:57 1999
@@ -37,6 +37,9 @@
* 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
* printed in log (modified from Michael Hasenstein's patch).
* Added SYN in log message. --RR
+ * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
+ * John McDonald <jm@dataprotect.com>
+ * Thomas Lopatic <tl@dataprotect.com>
*/
/*
@@ -645,6 +648,18 @@
size_req = 0;
}
offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
+ /* If it is a truncated first fragment then it can be
+ * used to rewrite port information, and thus should
+ * be blocked.
+ */
+ if (offset && (ntohs(ip->frag_off) & IP_MF)) {
+ if (!testing && net_ratelimit()) {
+ printk("Suspect short first fragment.\n");
+ dump_packet(ip,rif,NULL,NULL,0,0,0,0);
+ }
+ return FW_BLOCK;
+ }
}
src = ip->saddr;
Rusty.
-- Hacking time.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/