Displaying 2 results from an estimated 2 matches for "ip_glue".
Did you mean:
_glue
1999 Mar 25
0
(Fwd) DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
...cker
can effectively disable a target's IP connectivity. However, for the
attack to succeed, the attacker will have to deliver several thousand
packets to the target, which can take up to several minutes. A quick
exploit and the patch are appended to the end of this post.
The problem starts in ip_glue() in ip_fragment.c:
/* Copy the data portions of all fragments into the new buffer. */
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
if ((fp->len < 0) || ((count + fp->len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);...
1997 Nov 14
0
Linux IP fragment overlap bug (fwd)
...red. It
seems as though this bug (and patch) has gotten out, so here it is, in it''s
entirety.
As it happens, Linux has a serious bug in it''s IP fragmentation module.
More specifically, in the fragmentation reassembly code. More specifically,
the bug manifests itself in the `ip_glue()` function....
When Linux reassembles IP fragments to form the original IP datagram, it
runs in a loop, copying the payload from all the queued fragments into a newly
allocated buffer (which would then normally be passed to the IP layer proper).
>From ip_fragment.c@376:
fp = qp-&g...