Displaying 1 result from an estimated 1 matches for "ihlen".
Did you mean:
hlen
1999 Mar 25
0
(Fwd) DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
...l thousand
packets to the target, which can take up to several minutes. A quick
exploit and the patch are appended to the end of this post.
The problem starts in ip_glue() in ip_fragment.c:
/* Copy the data portions of all fragments into the new buffer. */
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
if ((fp->len < 0) || ((count + fp->len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {
skb->dst = dst_clone(fp->skb->dst);
skb->dev = fp->skb->dev;
}
count += fp->...