Re: teardrop and Linux as a router

Krzysztof G. Baranowski (kgb@manjak.knm.org.pl)
Sun, 23 Nov 1997 12:51:51 +0100 (MET)

While testing the million monkey theory, Marcelo Mercio Dandrea said:

> Its possible to patch the kernel to not only be resistent to
>teardrop ip frags but also, when the machine has Ip_forwarding compiled
>in, dump these frags instead of passing them along ?
IP firewalling code does its job. Excerpts from ip_fw.c:

[...]
if(ip->protocol==IPPROTO_TCP && (ip->ihl<<2)+16 > ntohs(ip->tot_len))
return FW_BLOCK;
[...]
else if((ntohs(ip->tot_len)<8+(ip->ihl<<2))&&(ip->protocol==IPPROTO_TCP \
|| ip->protocol==IPPROTO_UDP))
return FW_BLOCK;
[...]

methinks that blocking those "ugly" packets without any notification
is a crime ;-) What about a simple patch ? (attached below)

Cheers,
Kris

--
Krzysztof G. Baranowski - President of the Harmless Manyacs' Club
"F0 0F C7 C8 - The Four Bytes of the Apocalypse" - Mel Harper, a.s.r.
http://www.knm.org.pl/                     <prezes@manjak.knm.org.pl>




--- linux/net/ipv4/ip_fw.c~	Thu Nov 20 15:27:00 1997
+++ linux/net/ipv4/ip_fw.c	Fri Nov 21 15:00:27 1997
@@ -253,9 +253,11 @@
 	 *	checks.
 	 */
 	 
-	if (offset == 1 && ip->protocol == IPPROTO_TCP)
+	if (offset == 1 && ip->protocol == IPPROTO_TCP) {
+		printk("Suspect TCP packet\n");
 		return FW_BLOCK;
-		
+	}		
+
 	if (offset!=0 && !(mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT)) &&
 		(ip->protocol == IPPROTO_TCP || ip->protocol == IPPROTO_UDP ||
 			ip->protocol == IPPROTO_ICMP))
@@ -265,18 +267,28 @@
 	 *	 Header fragment for TCP is too small to check the bits.
 	 */
 	 
-	if(ip->protocol==IPPROTO_TCP && (ip->ihl<<2)+16 > ntohs(ip->tot_len))
+	if(ip->protocol==IPPROTO_TCP && (ip->ihl<<2)+16 > ntohs(ip->tot_len)) {
+		printk("Suspect TCP packet: header too short\n");
 		return FW_BLOCK;
-	
+	}
 	/*
 	 *	Too short.
 	 *
 	 *	But only too short for a packet with ports...
 	 */
 	 
-	else if((ntohs(ip->tot_len)<8+(ip->ihl<<2))&&(ip->protocol==IPPROTO_TCP || ip->protocol==IPPROTO_UDP))
+	else if((ntohs(ip->tot_len)<8+(ip->ihl<<2))&&(ip->protocol==IPPROTO_TCP || ip->protocol==IPPROTO_UDP)) {
+		switch(ip->protocol) {
+		case IPPROTO_TCP:
+			printk("Suspect TCP packet: too short\n");
+			break;
+		case IPPROTO_UDP:
+			printk("Suspect UDP packet: too short\n");
+			break;
+		}
 		return FW_BLOCK;
-		
+	}
+	
 	src = ip->saddr;
 	dst = ip->daddr;