Linux 2.0.33 vulnerability: fragment patterns
X-RDate: Fri, 17 Apr 1998 11:24:22 +0600 (YEKST)
X-UIDL: 35317d3400000046
Date: Thu, 16 Apr 1998 15:09:56 +0100
From: Alan Cox <alan@CYMRU.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Linux 2.0.33 vulnerability: fragment patterns
Ok duplicated. There's an 'off by one IP header' bug
--- ip_fragment.c.old Thu Apr 16 12:25:34 1998
+++ ip_fragment.c Thu Apr 16 12:29:02 1998
@@ -375,7 +375,7 @@
fp = qp->fragments;
while(fp != NULL)
{
- if (fp->len < 0 || count+fp->len > skb->len)
+ if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
