Date: Wed, 5 May 1999 16:47:34 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Don Lewis <Don.Lewis@tsc.tdk.com>, The Tech-Admin Dude <geniusj@phoenix.unacom.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash Message-ID: <199905052347.QAA10103@salsa.gv.tsc.tdk.com> In-Reply-To: Don Lewis <Don.Lewis@tsc.tdk.com> "Re: freebsd mbuf crash" (May 5, 4:15pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On May 5, 4:15pm, Don Lewis wrote: } Subject: Re: freebsd mbuf crash } On May 5, 12:35am, The Tech-Admin Dude wrote: } } Subject: Re: freebsd mbuf crash } } Raise NMBCLUSTERS in kernel config file } } That's the fix for FreeBSD panics caused by running out of mbuf clusters. } } The exploit code that was posted triggered a bug in the IP reassembly code } that was present in 3.0 between August and October last year (ip_input.c } versions 1.100 through 1.102). I retract this statement. At first I thought the code was the nestea2 exploit from late last year, but I now believe it is a different exploit. It's use of a large number of IP options and fragmented TCP packets makes it resemble a potential way of sneaking TCP packets through a packet filtering firewall that filters by port numbers by overlaying the fragments so that the desired port number in the second fragment overwrites the port number in the first fragment that the firewall allowed through (but FreeBSD's IP reassembly algorithm never allowed FreeBSD to be attacked in this manner as an end system, so far as I know). This isn't what the code is trying to exploit, though. It's probably something related to fragment reassembly, IP option processing, or the sending of TCP RSTs in response to unsolicitied packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905052347.QAA10103>