4.2 ip_dooptions() is not paranoid
rws at Mit-Bold.ARPA
rws at Mit-Bold.ARPA
Fri Apr 13 16:39:46 AEST 1984
From: Robert W. Scheifler <rws at Mit-Bold.ARPA>
Description:
IP options are not adequately sanity-checked. In particular,
the option length is not checked to be reasonable. A zero
length option will cause the machine to hang, executing
a for loop in ip_dooptions() forever at netisr.
Repeat-By:
Send your enemies a bogus IP option specifying a zero option
length. Watch with glee as their machines hang.
Fix:
Other checks may be necessary, but in ip_dooptions you at least
need to change lines
else
optlen = cp[1];
to
else {
optlen = cp[1];
if (optlen <= 0 || optlen > cnt)
goto bad;
}
More information about the Comp.unix.wizards
mailing list