ipfw -- IP fragment denial of service

ID D7C1D00D-9D2E-11DA-8C1D-000E0C2E438A
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00


Problem description: The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. Impact: An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions. Workaround: Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded.