|
Subject: |
Re: BUG: crasher [IMPORTANT PATCH] |
|
From: |
"Pedro M. Rodrigues" <pmanuel,AT,myrealbox,DOT,com> |
|
Date: |
Tue, 8 Jan 2002 01:57:46 +0100 |
|
In-reply-to: |
<E16NgCt-0001da-00@bigred.inka.de> |
Does it affect 1.4.6? Can these too small packets be used as a
DOS in a exposed server?
Regards,
/Pedro
On 7 Jan 2002 at 21:17, Olaf Titz wrote:
> This must be an old problem, why was it never found? :-) To my
> knowledge it exists in all published versions of CIPE. It causes a
> crash when CIPE receives too small packets. Thanks to Larry McVoy for
> alerting me to this bug.
>
> The attached patch is from the CVS but applies cleanly to 1.5.2.
>
> Olaf
>
> Index: cipe/sock.c
> ===================================================================
> RCS file:
> /home/olaf/common-home/CVSrepos/security/cipe-linux/cipe/sock.c,v
> retrieving revision 1.36 diff -u -r1.36 sock.c ---
> cipe/sock.c 2001/12/29 20:23:04 1.36 +++ cipe/sock.c 2002/01/06
> 18:28:56 @@ -199,6 +199,11 @@
> goto framerr;
> }
> #endif
> + if (length<cipehdrlen+(c->sockshost?sizeof(struct sockshdr):0)) {
> + printk(KERN_INFO "%s: got short packet from %s\n",
> + c->dev->name,
> + cipe_ntoa(saddr(skb)));
> + goto framerr;
> + }
>
> n=alloc_skb(skb->len, GFP_KERNEL);
> if (!n) {
> @@ -390,10 +395,8 @@
> c->stat.rx_packets++;
> return NULL;
>
> -#if 0
> framerr:
> ++c->stat.rx_frame_errors; /* slightly abuse this */
> -#endif
> error:
> ++c->stat.rx_errors;
> if (n)
>
> === end of patch ===
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address. CIPE
> info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
>