Re: [2.1.99] some fixes
Gerhard Mack (gmack@imag.net)
Mon, 4 May 1998 00:24:04 -0700 (PDT)
I bounced nestea off the box a few times it's solid.
So the patch is alreaddy in .99
On Sun, 3 May 1998, ADAM Sulmicki wrote:
> On Sun, 3 May 1998, Peter T. Breuer wrote:
>
> ->"A month of sundays ago David S. Miller wrote:"
> ->> +++ linux/net/ipv4/ip_fragment.c Sun May 3 16:34:48 1998
> ->> - if (fp->len < 0 || count+fp->len > skb->len) {
> ->> + if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) {
> ->> This fix is DEAD WRONG, the fix is already there in the code, look at
>
> ->?? I thought this was the nestea.c fix, as sent out by Alan? If the
> ->final fix wasn't this, I would like to see it posted somewhere. The
> ->comment I saw indicated an off by one count, and that this was the fix.
>
> The thing is that there are two fixes, one is by Allan
> the other is by Daivd. They esentially do the same thing
> but in different ways. Still those are for **2.0.x** tree.
>
> As far as I know there has been only one fix for 2.1.x tree
> and it has been made by David, and it is already in 2.1.x tree.
>
> >From davem@dm.cobaltmicro.com Sat Apr 18 13:12:20 1998
> From: "David S. Miller" <davem@dm.cobaltmicro.com>
> To: gmack@imag.net
> Cc: linux-kernel@vger.rutgers.edu, torvalds@transmeta.com,
> alan@lxorguk.ukuu.org.uk
> Date: Fri, 17 Apr 1998 19:19:47 -0700
> Subject: �[0;32mRe: 2.1.96 EXPLOIT was [rootshell] Security Bulletin #18 (fwd)�[0;38m
> Message-ID: <199804180219.TAA05394@dm.cobaltmicro.com>
>
> Date: Fri, 17 Apr 1998 18:30:36 -0700 (PDT)
> From: Gerhard Mack <gmack@imag.net>
>
> I found this in my email a few minuts ago. I immediatly tested
> this on my system and to my horror it instantly rebooted.
>
> It's been fixed for 2 days, relax, here is a patch, it just hasn't
> made it's way into Linus's 2.1.x tree yet:
>
> Index: net/ipv4/ip_fragment.c
> ===================================================================
> RCS file: /vger/u4/cvs/linux/net/ipv4/ip_fragment.c,v
> retrieving revision 1.33
> retrieving revision 1.36
> diff -u -r1.33 -r1.36
> --- ip_fragment.c 1998/03/19 08:34:08 1.33
> +++ ip_fragment.c 1998/04/18 02:13:07 1.36
> @@ -5,7 +5,7 @@
> *
> * The IP fragmentation functionality.
> *
> - * Version: $Id: ip_fragment.c,v 1.33 1998/03/19 08:34:08 davem Exp $
> + * Version: $Id: ip_fragment.c,v 1.36 1998/04/18 02:13:07 davem Exp $
> *
> * Authors: Fred N. van Kempen <waltje@uWalt.NL.Mugnet.ORG>
> * Alan Cox <Alan.Cox@linux.org>
> @@ -346,10 +346,9 @@
> memcpy(ptr, qp->iph, qp->ihlen);
> ptr += qp->ihlen;
>
> - count = 0;
> -
> /* Copy the data portions of all fragments into the new buffer. */
> fp = qp->fragments;
> + count = qp->ihlen;
> while(fp) {
> if (fp->len < 0 || count+fp->len > skb->len) {
> NETDEBUG(printk(KERN_ERR "Invalid fragment list: "
> @@ -360,7 +359,7 @@
> return NULL;
> }
> memcpy((ptr + fp->offset), fp->ptr, fp->len);
> - if (!count) {
> + if (count == qp->ihlen) {
> skb->dst = dst_clone(fp->skb->dst);
> skb->dev = fp->skb->dev;
> }
> @@ -376,7 +375,7 @@
> /* Done with all fragments. Fixup the new IP header. */
> iph = skb->nh.iph;
> iph->frag_off = 0;
> - iph->tot_len = htons((iph->ihl * 4) + count);
> + iph->tot_len = htons(count);
>
> ip_statistics.IpReasmOKs++;
> return skb;
>
>
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
>
--
Gerhard Mack
irc admin centurion.starchat.net
gmack@imag.net
innerfire@starchat.net
As a computer I find your faith in technology amusing.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu