Subject: kern/1030: bug in ipintr() in dealing with fragmented IP packets.
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: Darren Reed <darrenr@vitruvius.arbld.unimelb.EDU.AU>
List: netbsd-bugs
Date: 05/07/1995 06:35:02
>Number:         1030
>Category:       kern
>Synopsis:       ipintr() will process too small IP fragments
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May  7 06:35:01 1995
>Originator:     Darren Reed
>Organization:
University of Melbourne
>Release:        NetBSD-current
>Environment:
Sun IPC, NetBSD
System: NetBSD candella.arbld.unimelb.edu.au 1.0A NetBSD 1.0A (1.0A) #4: Mon Feb 20 18:33:28 EST 1995 root@:/usr/src/sys/arch/sparc/compile/1.0A sparc


>Description:
If NetBSD receives an IP packet of length less than 28 which is a fragment
and it isn't the last fragment (IP_MF is set) it will continue to process
this fragment and not generate any errors.  RFC 791, section 2.3, page 8
outlines a description which is discussed further.  Whilst NetBSD won't
generate such fragments (due to a small MTU) easily, a malicious person
can generate them.  Also, NetBSD will, upon receipt of such a small fragment
hold onto it until other fragments arrive and attempt reassembly.  It is an
obscure and most definately rare case, but quite possible.

>How-To-Repeat:

>Fix:
This patch causes ipintr() to discard packets which are fragments but
which are too small to be a valid IP fragment.

*** ip_input.c.orig	Sun May  7 23:02:09 1995
--- ip_input.c	Sun May  7 23:03:07 1995
***************
*** 200,206 ****
  	 * Convert fields to host representation.
  	 */
  	NTOHS(ip->ip_len);
! 	if (ip->ip_len < hlen) {
  		ipstat.ips_badlen++;
  		goto bad;
  	}
--- 200,206 ----
  	 * Convert fields to host representation.
  	 */
  	NTOHS(ip->ip_len);
! 	if (ip->ip_len < hlen || (ip->ip_off & IP_MF && ip->ip_len < 28)) {
  		ipstat.ips_badlen++;
  		goto bad;
  	}
>Audit-Trail:
>Unformatted: