• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Linux IPChains Fragment Overlap Vulnerability

Solution:
This patch was provided with the DataProtect advisory posted to BugTraq on July 27, 1999. The solution was incorporated into the 2.2.11 kernel, released in August 1999.

*** linux.old/net/ipv4/ip_fw.c Wed Jun 9 05:33:07 1999
--- linux/net/ipv4/ip_fw.c Fri Jul 23 19:20:45 1999
***************
*** 37,42 ****
--- 37,45 ----
* 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
* printed in log (modified from Michael Hasenstein's patch).
* Added SYN in log message. --RR
+ * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
+ * John McDonald <jm@dataprotect.com>
+ * Thomas Lopatic <tl@dataprotect.com>
*/

/*
***************
*** 644,650 ****
default:
size_req = 0;
}
! offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
}

src = ip->saddr;
--- 647,666 ----
default:
size_req = 0;
}
!
! /* If it is a truncated first fragment then it can be
! * used to rewrite port information, and thus should
! * be blocked.
! */
!
! if (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req)
! {
! if (!testing && net_ratelimit()) {
! printk("Suspect short first fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
! }
! return FW_BLOCK;
! }
}

src = ip->saddr;