From owner-doc-jp@jp.freebsd.org  Thu Nov  5 15:43:25 1998
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.9.1+3.1W/8.7.3) id PAA11202;
	Thu, 5 Nov 1998 15:43:25 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from dell01.osb.pb.nttdata.co.jp ([202.158.1.126])
	by jaz.jp.freebsd.org (8.9.1+3.1W/8.7.3) with ESMTP id PAA11129
	for <doc-jp@jp.freebsd.org>; Thu, 5 Nov 1998 15:42:17 +0900 (JST)
	(envelope-from njt@nn.iij4u.or.jp)
Received: from localhost (njt@salix.njt.nn.iij4u.or.jp [172.16.10.3])
	by dell01.osb.pb.nttdata.co.jp (8.8.8/8.8.8) with ESMTP id NAA12257
	for <doc-jp@jp.freebsd.org>; Thu, 5 Nov 1998 13:40:06 +0700 (JAVT)
	(envelope-from njt@nn.iij4u.or.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: Your message of "Wed, 4 Nov 1998 20:37:28 +0100 (MET)"
	<199811041937.UAA12845@gvr.gvr.org>
References: <199811041937.UAA12845@gvr.gvr.org>
Mime-Version: 1.0
X-PGP-Sig: 2.6.3ia Subject,From,X-Mailer
	iQCVAwUBNkFGK8VateD//ziZAQHw2gQAn5YRz6yvbFwsulCdJkIRLWzY2iMd1Se/
	h15XzqI3JihPRNxN0GZt2KWv+z/Hzo41KdSyE4zTuaJAPWl2ofQws4HbsJVL5QNz
	RHqfn1NgvOI6e7H4z19590SUdi+fxxumkLYWLj13MXgdsMN+oJGWERXTF/+txbfp
	it8mY35dyDU=
	=7/qG
From: "Nakazato J. Takeshi" <njt@nn.iij4u.or.jp>
X-Mailer: Mew version 1.93 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <19981105133947S.njt@nn.iij4u.or.jp>
Date: Thu, 05 Nov 1998 13:39:47 +0700
X-Dispatcher: imput version 980905(IM100)
Lines: 128
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+980914
X-Sequence: doc-jp 5456
Subject: [doc-jp 5456] Translation of "ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment"
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: njt@nn.iij4u.or.jp

$BCfN$$H?=$7$^$9!#(B

$B$5$-$[$I(B Announce $B$KN.$l$?(B Security Advisory $B$rK]Lu$7$^$7$?!#(B
$B::FI4j$$$^$9!#(B


---- $B$3$3$+$i(B ----

$BLuCp!'85$N(B
  Date: Wed, 4 Nov 1998 20:37:28 +0100 (MET)
  Subject: "ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-98:08.fragment"
  Message-ID: <199811041937.UAA12845@gvr.gvr.org>
  From: FreeBSD Security Officer <security-officer@FreeBSD.ORG> 
$B$O(B PGP $B=pL>$5$l$F$$$^$9!#(B



=============================================================================
FreeBSD-SA-98:08                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          IP $B%U%i%0%a%s%F!<%7%g%s$K$h$k(B denial of service ($B%5!<(B
                $B%S%9K832(B) $B967b(B

Category:       core
Module:         kernel
Announced:      1998-11-04
Affects:        FreeBSD 3.0 $B$*$h$S(B
		$B=$@5F|0JA0$N(B FreeBSD-current.
Corrected:      1998/10/27 $B$N(B FreeBSD-3.0 $B$*$h$S(B FreeBSD-current
FreeBSD only:   Yes

Patches:        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:08/

I.   $BGX7J(B
> I.   Background

IP $B%3%M%/%7%g%s$O(B 2 $BBf$N7W;;5!4V$G<u?.$5$l$k0lO"$N%Q%1%C%H$K$h$j@)8f$5(B
$B$l$k!#$"$k%Q%1%C%H$,!"C10l$N(B IP $B%Q%1%C%H$H$7$FAw?.$9$k$K$O(B ($BNc$($P%M%C(B
$B%H%o!<%/%$%s%?!<%U%'!<%9$N%O!<%I%&%'%"E*@)8BCM$K$h$j(B) $BBg$-$9$.$k>l9g$K(B
$B$O!"(B($B%U%i%0%a%s%H6X;_%U%i%0$K$h$C$F6X;_$5$l$F$$$J$$8B$j(B) $B%U%i%0%a%s%H(B
$B$H$7$FJ,3d$5$l$k$3$H$,$"$j$^$9!#:G=*E*$JAw?.@h$,!"$"$k(B IP $B%Q%1%C%H$NA4(B
$B$F$N%U%i%0%a%s%H$r:F$S$R$H$D$KAH$_N)$F$7$F(B (TCP $B$d(B UDP $B$N$h$&$J(B) $B>e0L(B
$BAX$KEO$7$^$9!#(B
> IP connections are controlled through a series of packets that are
> received by the two computers involved in the connection.  
> When packets are too large to be sent in a single IP packet (due to
> interface hardware limitations for example), they can be fragmented
> (unless prohibited by the Don't Fragment flag).
> The final destination will reassemble all the fragments of an IP packet
> and pass it to higher protocol layers (like TCP or UDP).

II.  $BLdBj$N>\:Y(B
> II.  Problem Description

IP $B%U%i%0%a%s%H$N:FAH$_N)$F%3!<%I$K!"%+!<%M%k%Q%K%C%/$r$R$-$*$3$92DG=(B
$B@-$N$"$k%P%0$,$"$j$^$9!#:FAH$_N)$F$9$k$HIT@5$J(B UDP $B%G!<%?%0%i%`$K$J$k(B
$B$h$&$JIT@5$J7A<0$N(B IP $B%Q%1%C%H$N%Z%"$r@8@.$7!"$=$l$rAw?.$9$k$3$H$G967b(B
$B$9$k$3$H$,2DG=$G$9!#$=$N$h$&$J(B UDP $B%G!<%?%0%i%`$O%5!<%P$r%Q%K%C%/$5$;!"(B
$B%/%i%C%7%e$5$;$^$9!#(B
> There is a bug in the IP fragment reassembly code that might lead
> to a kernel panic. An attacker can create and send a pair of
> malformed IP packets which are then reassembled into an invalid
> UDP datagram. Such an UDP datagram would then cause a server to
> panic and crash.


III. $B1F6A(B
> III. Impact

$B$3$N%P%0$rFM$+$l$k$H#O#S$O%7%9%F%`%Q%K%C%/$7!"%j%V!<%H$7$F$7$^$$$^$9!#(B
$B$3$N<eE@$O8x3+$N%;%-%e%j%F%#%U%)!<%i%`$G5DO@$5$l$^$7$?!#$3$N%P%0$rFM$$(B
$B$FMxMQ$7$h$&$H$9$k%W%m%0%i%`$,=P2s$C$F$$$^$9!#(B
> When this bug is exploited the operating system will panic. This results
> in a reboot of the system.
> This vulnerability has been discussed in public security forums and
> exploit programs are circulating to take advantage of this bug.


IV.  Workaround
> IV.  Workaround

$B$J$7(B
> None.

V.   $B2r7hK!(B
> V.   Solution


    Index: ip_input.c
    ===================================================================
    RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v
    retrieving revision 1.102
    retrieving revision 1.103
    diff -u -u -r1.102 -r1.103
    --- ip_input.c	1998/10/16 03:55:01	1.102
    +++ ip_input.c	1998/10/27 09:11:41	1.103
    @@ -750,7 +750,7 @@
     	 * if they are completely covered, dequeue them.
     	 */
     	for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
    -	     p = q, q = nq) {
    +	     q = nq) {
     		i = (ip->ip_off + ip->ip_len) -
     		    GETIP(q)->ip_off;
     		if (i < GETIP(q)->ip_len) {

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf$K4^$^$l$k%Q%C%A$OEE;R=pL>$dEE;R%a!<%k%=%U%H%&%'%"$K$h$k(B
      $BJQ99$N$?$a!"$-$l$$$KEv$?$i$J$$$3$H$,$"$j$^$9!#I,MW$G$"$l$P!"K\J8(B
      $B=q$N@hF,$N(B URL $B%j%9%H$K$"$k%*%j%8%J%k$N%Q%C%A$r;2>H$7$F2<$5$$!#(B
Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================

---- $B$3$3$^$G(B ----

-- NJT
