Re: Ping with a 65510 bytes pack

Linus Torvalds (torvalds@cs.helsinki.fi)
Sat, 19 Oct 1996 10:28:10 +0300 (EET DST)

On Fri, 18 Oct 1996, Shinanyaku wrote:
>
> Bruno Kraychete da Costa was heard saying ....
> >
> > When a friend of mine, using a Win95 workstation, issued the ping
> > command using a pack of 65510 bytes and addressed to my Linux 2.0.22, it
> > simply rebooted. On the second time he issued that command, all the
> > process stopped because of a general protection 000, including the agetty
> > processes.
>
> Everybody try this and lock up your linux system? I did. It works as
> reported except it didn't reboot my box, just lock it up solid-like.

Ok, this is _definitely_ the kind of bug that I want to have fixed asap.
Alan already sent out a test-patch, but he hadn't been able to test it.
Neither can I, because I don't have access to any Windows machines, and Linux
won't even try to send out those illegal packets (and I'm way too lazy to try
to write a program that tries to send out raw ethernet packets)

So could people please test the patch by Alan (I'm including it at the end of
this email in ase you missed it for some reason)? Please test first a
unpatched kernel to make sure you see the problem properly so that I don't
get positive reports that turn out to be flukes due to a router eating up the
packets or something..

The patch applies to just about any 2.x kernel (it certainly applied to both
2.1.5 and 2.0.23), and the reason I'm asking people to test it out is that
this kind of embarrassing bug (Q: "What's the height of embarrassment?"
A: "Windows crashing Linux"), and even this small patch is enough to release
a new kernel version just to have it "officially fixed" before the news of
this spread. But I don't want to make a 2.0.24 that turns out to not fix the
only problem it was meant to fix ;)

(Thanks Alan for the quick action, and sorry to people who get this patch
twice in their mailbox)

Please reply to me directly, just a "yes, it fixes it" or "nope, my machine
still crashes" will do.

Thanks,
Linus

-----
Date: Sat, 19 Oct 96 01:05 BST
From: alan@lxorguk.ukuu.org.uk (Alan Cox)
To: linux-kernel@vger.rutgers.edu, linux-net@vger.rutgers.edu
Subject: Untested but this should fix the problem with oversize packets

Let me know how it works (patch v 2.0.2x)

--- ip_fragment.c.old Mon Sep 16 22:14:52 1996
+++ ip_fragment.c Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +466,18 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }

/*
* Determine the position of this fragment.