Security Advisory: FreeBSD-SA-00:23.ip-options

2000-06-23T00:00:00
ID SECURITYVULNS:DOC:375
Type securityvulns
Reporter Securityvulns
Modified 2000-06-23T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

============================================================================= FreeBSD-SA-00:23 Security Advisory FreeBSD, Inc.

Topic: Remote denial-of-service in IP stack

Category: core Module: kernel Announced: 2000-06-19 Affects: FreeBSD systems prior to the correction date Credits: NetBSD Security Advisory 2000-002, and Jun-ichiro itojun Hagino <itojun@kame.net> Corrected: (Several bugs fixed, the date below is that of the most recent fix) 2000-06-08 (3.4-STABLE) 2000-06-08 (4.0-STABLE) 2000-06-02 (5.0-CURRENT) FreeBSD only: NO

I. Background

II. Problem Description

There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets.

This set of bugs includes the instance of the vulnerability described in NetBSD Security Advisory 2000-002 (see ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc) as well as other bugs with similar effect.

III. Impact

Remote users can cause a FreeBSD system to panic and reboot.

IV. Workaround

None available.

V. Solution

One of the following:

1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the respective correction dates.

2) Apply the patch below and recompile your kernel.

Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

cd /usr/src/sys/netinet

patch -p < /path/to/patch_or_advisory

[ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ]

Index: ip_icmp.c
===================================================================
RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.39
diff -u -r1.39 ip_icmp.c
--- ip_icmp.c       2000/01/28 06:13:09     1.39
+++ ip_icmp.c       2000/06/08 15:26:39
@@ -662,8 +662,11 @@
                        if &#40;opt == IPOPT_NOP&#41;
                                len = 1;
                        else {
+                               if &#40;cnt &lt; IPOPT_OLEN + sizeof&#40;*cp&#41;&#41;
+                                       break;
                                len = cp[IPOPT_OLEN];
-                               if &#40;len &lt;= 0 || len &gt; cnt&#41;
+                               if &#40;len &lt; IPOPT_OLEN + sizeof&#40;*cp&#41; ||
+                                   len &gt; cnt&#41;
                                        break;
                        }
                        /*
Index: ip_input.c
===================================================================
RCS file: /ncvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.130
diff -u -r1.130 ip_input.c
--- ip_input.c      2000/02/23 20:11:57     1.130
+++ ip_input.c      2000/06/08 15:25:46
@@ -1067,8 +1067,12 @@
            if &#40;opt == IPOPT_NOP&#41;
                    optlen = 1;
            else {
+                   if &#40;cnt &lt; IPOPT_OLEN + sizeof&#40;*cp&#41;&#41; {
+                           code = &amp;cp[IPOPT_OLEN] - &#40;u_char *&#41;ip;
+                           goto bad;
+                   }
                    optlen = cp[IPOPT_OLEN];
-                   if &#40;optlen &lt;= 0 || optlen &gt; cnt&#41; {
+                   if &#40;optlen &lt; IPOPT_OLEN + sizeof&#40;*cp&#41; || optlen &gt; cnt&#41; {
                            code = &amp;cp[IPOPT_OLEN] - &#40;u_char *&#41;ip;
                            goto bad;
                    }
@@ -1174,6 +1178,10 @@
                    break;

            case IPOPT_RR:
+                   if &#40;optlen &lt; IPOPT_OFFSET + sizeof&#40;*cp&#41;&#41; {
+                           code = &amp;cp[IPOPT_OFFSET] - &#40;u_char *&#41;ip;
+                           goto bad;
+                   }
                    if &#40;&#40;off = cp[IPOPT_OFFSET]&#41; &lt; IPOPT_MINOFF&#41; {
                            code = &amp;cp[IPOPT_OFFSET] - &#40;u_char *&#41;ip;
                            goto bad;
Index: ip_output.c
===================================================================
RCS file: /ncvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.99
diff -u -r1.99 ip_output.c
--- ip_output.c     2000/03/09 14:57:15     1.99
+++ ip_output.c     2000/06/08 15:27:08
@@ -1302,8 +1302,10 @@
            if &#40;opt == IPOPT_NOP&#41;
                    optlen = 1;
            else {
+                   if &#40;cnt &lt; IPOPT_OLEN + sizeof&#40;*cp&#41;&#41;
+                           goto bad;
                    optlen = cp[IPOPT_OLEN];
-                   if &#40;optlen &lt;= IPOPT_OLEN || optlen &gt; cnt&#41;
+                   if &#40;optlen &lt; IPOPT_OLEN + sizeof&#40;*cp&#41; || optlen &gt; cnt&#41;
                            goto bad;
            }
            switch &#40;opt&#41; {

-----BEGIN PGP SIGNATURE----- Version: 2.6.2

iQCVAwUBOU3tLFUuHi5z0oilAQGR8AP/UbWPEYtE9Z5UAlesutOSp6UcHnl+6Gga nglpEBloBsf81J53nkLbf02rWQedb1BhROL1i+df9J328sCF/Tpci04bmdSAtiox EwDim4AlTjn4PqjlHyX1jf1mi0sMgxSuI5bBPuiVfsdYRbd96+AEbftfR9BuyqbB m6dFcBN5+y0= =A1Fk -----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message