Date: Mon, 19 Aug 1996 18:22:29 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Warner Losh <imp@village.org> Cc: hackers@FreeBSD.ORG Subject: Re: ipfw vs ipfilter Message-ID: <Pine.BSF.3.91.960819180150.11542C-100000@panda.hilink.com.au> In-Reply-To: <199608181615.KAA00454@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 18 Aug 1996, Warner Losh wrote: > One of our paranoid villagers recently did a code review on ipfw. He > said it was OK, but found a couple of problems. Specifically, the > code lacked comments, there was a bug in the IP header fragment > discarding code (if the offset was one, it would discard the fragment, > but not when it was 2, it should properly discard the fragment for all > offsets > 0 < the size of the headers), it assumed that the user It is not possible to overwrite the TCP flags area of a packet with a fragment with offset of anything but 1. Fragmentation is only allowed for the data payload of an IP packet, and fragment offset counting begins at the start of the data section of the packet, irrespective of the size of the IP headers. Since FO is counted in 8-byte counts, FO=1 means the data from byte 8 to byte 15 (covering ack number, flags and window) while FO=2 covers bytes 16 to 23 (checksum, urgent pointer, options). Perhaps it would be prudent to discard packets with FO=2, but I can't see how an attack on checksum or Max Segment Size would work. However, in normal Internet traffic, where the MTU is > 68 octets, the minimum permitted MTU, it is perfectly reasonable to discard all packets with 0 < FO < 7. Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960819180150.11542C-100000>