Subject: kern/2296: some icmp destination unreachable packets contain garbage
To: None <gnats-bugs@NetBSD.ORG>
From: Laine Stump <laine@MorningStar.Com>
List: netbsd-bugs
Date: 04/03/1996 22:06:07
>Number:         2296
>Category:       kern
>Synopsis:       some icmp destination unreachable packets contain garbage
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr  3 17:35:01 1996
>Originator:     Laine Stump
Ascend Communications
>Release:        1.1
System: NetBSD tubeworm 1.1 NetBSD 1.1 (GENERICMST) #0: Wed Mar 13 00:14:05 EST 1996 laine@tubeworm:/usr/src/sys/arch/i386/compile/GENERICMST i386


When ip_forward() generates an icmp destination unreachable packet, it
always includes the entire IP header of the offending packet plus the
following 8 bytes in the reply. The longest such offending header
would then be 0x0f * 4 = 60 bytes, plus the following 8 bytes,
resulting in a 68 byte payload. Unfortunately, ip_input() only saves the
first 64 bytes of potentially offensive packets when it calls m_copy()
in /usr/src/sys/netinet/ip_input.c. The remaining 4 bytes will be filled
with garbage.


Send a packet with 40 bytes of IP options to a NetBSD machine on a
port that will elicit an icmp destination unreachable. The reply will
contain 4 garbage characters.


Call m_copy with a length of 68 instead of 64.


The following line from icmp_error() in ip_icmp.c displays obviously
wrong thinking. The oip->ip_len field will never be smaller than 20.

	icmplen = oiplen + min(8, oip->ip_len);