Re: kernel bug -> security problem

Jared Mauch (jared@wolverine.hq.cic.net)
Mon, 21 Oct 1996 03:10:49 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Matthias Urlichs: "Re: Am486/100 writeback processor reboot woes"
Previous message: Jared Mauch: "2.1.5 OOPS"
In reply to: Jacek Radajewski: "kernel bug -> security problem"
Next in thread: pderosa@mbox.vol.it: "Re: kernel bug -> security problem"

Perhaps if you read the list, you would have seen this patch: :-)

- Jared

From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: linux-kernel@vger.rutgers.edu
cc: Alan Cox <iialan@iifeak.swan.ac.uk>,
Linus Torvalds <torvalds@cc.helsinki.fi>

This slightly modified version of Alan Cox's ping patch has been tested on
my SMP test box. Without it, I can crash it from a Win95 box, and then
softdog (I assume) reboots it. With the patch, Win95 doesn't seem able to
crash it. I'm now running this patch on 5 other systems.

Is there anything other than someone trying to crash my box that would
trigger the printk I added? One of our servers just logged this:

Oversized packet received from 205.229.51.6

That's one of our dialup user IP addresses. Are my own users trying to
crash me, or is it just a Windows IP bug? If there's no explanation other
than someone trying to crash our mail server, I'd like to terminate that
account.

--- ip_fragment.c.orig Wed Aug 7 07:00:08 1996
+++ ip_fragment.c Sat Oct 19 20:33:42 1996
@@ -47,6 +47,8 @@

atomic_t ip_frag_mem = 0; /* Memory used for fragments */

+char *in_ntoa(unsigned long in);
+
/*
* Memory Tracking Functions
*/
@@ -366,7 +368,7 @@
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
- frag_kfree_skb(skb,FREE_WRITE);
+ kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
@@ -466,6 +468,19 @@
return NULL;
}
}
+
+ /*
+ * Attempt to construct an oversize packet.
+ */
+
+ if(ntohs(iph->tot_len)+(int)offset>65535)
+ {
+ skb->sk = NULL;
+ printk("Oversized packet received from %s\n",in_ntoa(qp->iph->saddr));
+ frag_kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ return NULL;
+ }

/*
* Determine the position of this fragment.

------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______

Jacek Radajewski graced my mailbox with this long sought knowledge:
>
> Hi,
>
> I've just received e-mail about a bug in the kernel which causes linux
> to reboot when the following ping is issued from windowz 95 : "ping -l
> 65510 linux.box.IP.address" .. I tried it and sure enough linux dies
> quickly and without any warning ...
>
>
> Has someone got more info on this ??? is there a fix ?
>
> Cheers
>
> Jacek - jacek@usq.edu.au
>
>

Next message: Matthias Urlichs: "Re: Am486/100 writeback processor reboot woes"
Previous message: Jared Mauch: "2.1.5 OOPS"
In reply to: Jacek Radajewski: "kernel bug -> security problem"
Next in thread: pderosa@mbox.vol.it: "Re: kernel bug -> security problem"