Synopsis: IP options denial of service

Synopsis: IP options denial of service
NetBSD versions: NetBSD 1.4.2
Thanks to: Jason Thorpe, Bill Sommerfeld
Reported in NetBSD Security Advisory: SA2000-002

*** sys/netinet/ip.h.orig 1998/02/10 01:26:44 1.18
--- sys/netinet/ip.h 2000/05/05 03:06:42 1.18.8.1
***************
*** 68,74 ****
u_int8_t ip_p; /* protocol */
u_int16_t ip_sum; /* checksum */
struct in_addr ip_src, ip_dst; /* source and dest address */
! };

#define IP_MAXPACKET 65535 /* maximum packet size */

--- 68,74 ----
u_int8_t ip_p; /* protocol */
u_int16_t ip_sum; /* checksum */
struct in_addr ip_src, ip_dst; /* source and dest address */
! } __attribute__((__packed__));

#define IP_MAXPACKET 65535 /* maximum packet size */

***************
*** 142,149 ****
struct ipt_ta {
struct in_addr ipt_addr;
n_time ipt_time;
! } ipt_ta[1];
! } ipt_timestamp;
};

/* flag bits for ipt_flg */
--- 142,149 ----
struct ipt_ta {
struct in_addr ipt_addr;
n_time ipt_time;
! } ipt_ta[1] __attribute__((__packed__));
! } ipt_timestamp __attribute__((__packed__));
};

/* flag bits for ipt_flg */

*** sys/netinet/ip_input.c.orig 2000/03/02 10:24:18 1.82.2.5
--- sys/netinet/ip_input.c 2000/05/06 16:43:25 1.82.2.6
***************
*** 919,925 ****
break;
}
off--; /* 0 origin */
! if (off > optlen - sizeof(struct in_addr)) {
/*
* End of source route. Should be for us.
*/
--- 919,925 ----
break;
}
off--; /* 0 origin */
! if ((off + sizeof(struct in_addr)) > optlen) {
/*
* End of source route. Should be for us.
*/
***************
*** 961,967 ****
* If no space remains, ignore.
*/
off--; /* 0 origin */
! if (off > optlen - sizeof(struct in_addr))
break;
bcopy((caddr_t)(&ip->ip_dst), (caddr_t)&ipaddr.sin_addr,
sizeof(ipaddr.sin_addr));
--- 961,967 ----
* If no space remains, ignore.
*/
off--; /* 0 origin */
! if ((off + sizeof(struct in_addr)) > optlen)
break;
bcopy((caddr_t)(&ip->ip_dst), (caddr_t)&ipaddr.sin_addr,
sizeof(ipaddr.sin_addr));