search for: ip_glue

...cker can effectively disable a target's IP connectivity. However, for the attack to succeed, the attacker will have to deliver several thousand packets to the target, which can take up to several minutes. A quick exploit and the patch are appended to the end of this post. The problem starts in ip_glue() in ip_fragment.c: /* Copy the data portions of all fragments into the new buffer. */ fp = qp->fragments; count = qp->ihlen; while(fp) { if ((fp->len < 0) || ((count + fp->len) > skb->len)) goto out_invalid; memcpy((ptr + fp->offset), fp->ptr, fp->len);...

...red. It seems as though this bug (and patch) has gotten out, so here it is, in it''s entirety. As it happens, Linux has a serious bug in it''s IP fragmentation module. More specifically, in the fragmentation reassembly code. More specifically, the bug manifests itself in the `ip_glue()` function.... When Linux reassembles IP fragments to form the original IP datagram, it runs in a loop, copying the payload from all the queued fragments into a newly allocated buffer (which would then normally be passed to the IP layer proper). >From ip_fragment.c@376: fp = qp-&g...