Date: Mon, 28 Aug 2000 09:50:04 -0700 (PDT) From: Ruslan Ermilov <ru@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect Message-ID: <200008281650.JAA76236@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/20877; it has been noted by GNATS. From: Ruslan Ermilov <ru@FreeBSD.org> To: Frank Volf <volf@oasis.IAEhv.nl> Cc: bug-followup@FreeBSD.org, Garrett Wollman <wollman@FreeBSD.org>, Sheldon Hearn <sheldonh@FreeBSD.org> Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect Date: Mon, 28 Aug 2000 19:46:47 +0300 --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote: > > I disagree with the fact that you simply close this pr as being a duplicate > case of PR 16240. > > PR 16240 tries to address the generic problem, which is indeed present in > many network implementations and may or maynot be difficult to fix. > > Here, a very simple patch is presented for a special instance of 16240 > (an instance that occurs a lot, e.g. using udp based tracerouted). I see no > reason why this patch cannot be applied to FreeBSD. > The reason is simple -- your patch is wrong and incomplete. > If there *are* issues that I overlooked I would like to hear about them, > and have them properly discussed. > You overlooked (amongst other things) that ip_off field is also vulnerable. The basic idea is that all IP header fields SHOULD BE in host byte order right after the start of ip_input(), and ip_output() converts them back to network byte order. So in icmp_error() the bytes should still be in host byte order, this is even implied by the following piece of code: /* * Don't send error if not the first fragment of message. * Don't error if the old packet protocol was ICMP * error message, only known informational types. */ if (oip->ip_off &~ (IP_MF|IP_DF)) goto freeit; Attached is the patch that fixes part of problems with ICMP error generation. It could be applied to both 5.0-CURRENT and 4.1-STABLE. This patch is still incomplete, it misses the ip_output() portion of fixes. I will develop and test the remaining bits tomorrow and commit it along with this patch. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.43 diff -u -p -r1.43 ip_icmp.c --- ip_icmp.c 2000/06/02 20:18:38 1.43 +++ ip_icmp.c 2000/08/28 16:28:41 @@ -191,7 +191,14 @@ icmp_error(n, type, code, dest, destifp) icp->icmp_code = code; bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen); nip = &icp->icmp_ip; - nip->ip_len = htons((u_short)(nip->ip_len + oiplen)); + nip->ip_len += oiplen; + + /* + * Convert fields to network representation. + */ + HTONS(nip->ip_len); + HTONS(nip->ip_id); + HTONS(nip->ip_off); /* * Now, copy old ip header (without options) Index: ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.138 diff -u -p -r1.138 ip_input.c --- ip_input.c 2000/07/31 23:41:47 1.138 +++ ip_input.c 2000/08/28 16:28:41 @@ -1496,7 +1496,6 @@ ip_forward(m, srcrt) m_freem(m); return; } - HTONS(ip->ip_id); #ifdef IPSTEALTH if (!ipstealth) { #endif --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008281650.JAA76236>