Linux IPChains Fragment Overlap Vulnerability

Solution:
This patch was provided with the DataProtect advisory posted to BugTraq on July 27, 1999. The solution was incorporated into the 2.2.11 kernel, released in August 1999.

*** linux.old/net/ipv4/ip_fw.c Wed Jun 9 05:33:07 1999
--- linux/net/ipv4/ip_fw.c Fri Jul 23 19:20:45 1999
***************
*** 37,42 ****
--- 37,45 ----
* 19-May-1999: Star Wars: The Phantom Menace opened. Rule num
* printed in log (modified from Michael Hasenstein's patch).
* Added SYN in log message. --RR
+ * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998.
+ * John McDonald <jm@dataprotect.com>
+ * Thomas Lopatic <tl@dataprotect.com>
*/

/*
***************
*** 644,650 ****
default:
size_req = 0;
}
! offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req);
}

src = ip->saddr;
--- 647,666 ----
default:
size_req = 0;
}
!
! /* If it is a truncated first fragment then it can be
! * used to rewrite port information, and thus should
! * be blocked.
! */
!
! if (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req)
! {
! if (!testing && net_ratelimit()) {
! printk("Suspect short first fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
! }
! return FW_BLOCK;
! }
}

src = ip->saddr;



 

Privacy Statement
Copyright 2010, SecurityFocus