From owner-freebsd-bugs Mon Aug 28 9:50:17 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B3F4E37B423 for ; Mon, 28 Aug 2000 09:50:04 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA76236; Mon, 28 Aug 2000 09:50:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Mon, 28 Aug 2000 09:50:04 -0700 (PDT) Message-Id: <200008281650.JAA76236@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Ruslan Ermilov Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect Reply-To: Ruslan Ermilov Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR kern/20877; it has been noted by GNATS. From: Ruslan Ermilov To: Frank Volf Cc: bug-followup@FreeBSD.org, Garrett Wollman , Sheldon Hearn Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect Date: Mon, 28 Aug 2000 19:46:47 +0300 --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote: > > I disagree with the fact that you simply close this pr as being a duplicate > case of PR 16240. > > PR 16240 tries to address the generic problem, which is indeed present in > many network implementations and may or maynot be difficult to fix. > > Here, a very simple patch is presented for a special instance of 16240 > (an instance that occurs a lot, e.g. using udp based tracerouted). I see no > reason why this patch cannot be applied to FreeBSD. > The reason is simple -- your patch is wrong and incomplete. > If there *are* issues that I overlooked I would like to hear about them, > and have them properly discussed. > You overlooked (amongst other things) that ip_off field is also vulnerable. The basic idea is that all IP header fields SHOULD BE in host byte order right after the start of ip_input(), and ip_output() converts them back to network byte order. So in icmp_error() the bytes should still be in host byte order, this is even implied by the following piece of code: /* * Don't send error if not the first fragment of message. * Don't error if the old packet protocol was ICMP * error message, only known informational types. */ if (oip->ip_off &~ (IP_MF|IP_DF)) goto freeit; Attached is the patch that fixes part of problems with ICMP error generation. It could be applied to both 5.0-CURRENT and 4.1-STABLE. This patch is still incomplete, it misses the ip_output() portion of fixes. I will develop and test the remaining bits tomorrow and commit it along with this patch. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.43 diff -u -p -r1.43 ip_icmp.c --- ip_icmp.c 2000/06/02 20:18:38 1.43 +++ ip_icmp.c 2000/08/28 16:28:41 @@ -191,7 +191,14 @@ icmp_error(n, type, code, dest, destifp) icp->icmp_code = code; bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen); nip = &icp->icmp_ip; - nip->ip_len = htons((u_short)(nip->ip_len + oiplen)); + nip->ip_len += oiplen; + + /* + * Convert fields to network representation. + */ + HTONS(nip->ip_len); + HTONS(nip->ip_id); + HTONS(nip->ip_off); /* * Now, copy old ip header (without options) Index: ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.138 diff -u -p -r1.138 ip_input.c --- ip_input.c 2000/07/31 23:41:47 1.138 +++ ip_input.c 2000/08/28 16:28:41 @@ -1496,7 +1496,6 @@ ip_forward(m, srcrt) m_freem(m); return; } - HTONS(ip->ip_id); #ifdef IPSTEALTH if (!ipstealth) { #endif --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message