On Sat, Jan 11, 2003 at 10:13:45PM +0100, Ignatios Souvatzis wrote:
> Hi,
> 
> On Sat, Jan 11, 2003 at 09:47:54PM +0100, Manuel Bouyer wrote:
> > No, it's not restricted to the LAN. If you can make the system send you
> > a packet smaller than ETHER_MIN_LEN, and the system has a vulnerable driver,
> > the packet with the leaked data will be routed to your system.
> 
> But I would naively assume that a router operates a the IP level, and only
> sees the IP payload.
Hum, yes you're right. 
At last NetBSD always trim the mbuf to the IP size and let the interface
pad again, even in the fastforward case.
I've seen packets comming back with dirty padding, but it's because the
router has a vulnerable NIC, not because of the bug on the remote host.
This decrease the impact of this problem a lot.

> Hm... yes, I guess fast routers might just handle 
> the buffer around to the next interface out, only replacing MAC addresses,
> hop count, and incrementally adjusting the IP checksum, in which case the
> additional information won't be stopped.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 23 ans d'experience feront toujours la difference
--