<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: BUG: crasher [IMPORTANT PATCH]
From: "Pedro M. Rodrigues" <pmanuel,AT,myrealbox,DOT,com>
Date: Tue, 8 Jan 2002 01:57:46 +0100
In-reply-to: <E16NgCt-0001da-00@bigred.inka.de>

   Does it affect 1.4.6? Can these too small packets be used as a 
DOS in a exposed server?

Regards,
/Pedro

On 7 Jan 2002 at 21:17, Olaf Titz wrote:

> This must be an old problem, why was it never found? :-) To my
> knowledge it exists in all published versions of CIPE. It causes a
> crash when CIPE receives too small packets. Thanks to Larry McVoy for
> alerting me to this bug.
> 
> The attached patch is from the CVS but applies cleanly to 1.5.2.
> 
> Olaf
> 
> Index: cipe/sock.c
> ===================================================================
> RCS file:
> /home/olaf/common-home/CVSrepos/security/cipe-linux/cipe/sock.c,v
> retrieving revision 1.36 diff -u -r1.36 sock.c ---
> cipe/sock.c   2001/12/29 20:23:04     1.36 +++ cipe/sock.c    2002/01/06
> 18:28:56 @@ -199,6 +199,11 @@
>   goto framerr;
>      }
>  #endif
> +    if (length<cipehdrlen+(c->sockshost?sizeof(struct sockshdr):0)) {
> +        printk(KERN_INFO "%s: got short packet from %s\n",
> +        c->dev->name,
> +               cipe_ntoa(saddr(skb)));
> +     goto framerr;
> +    }
> 
>      n=alloc_skb(skb->len, GFP_KERNEL);
>      if (!n) {
> @@ -390,10 +395,8 @@
>      c->stat.rx_packets++;
>      return NULL;
> 
> -#if 0
>   framerr:
>      ++c->stat.rx_frame_errors; /* slightly abuse this */
> -#endif
>   error:
>      ++c->stat.rx_errors;
>      if (n)
> 
> === end of patch ===
> 
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address. CIPE
> info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 





<< | Thread Index | >> ]    [ << | Date Index | >> ]