From owner-doc-jp@jp.freebsd.org  Thu Jun 22 10:54:22 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id KAA34856;
	Thu, 22 Jun 2000 10:54:22 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO9.gate.nec.co.jp (TYO9-2.gate.nec.co.jp [202.247.6.44])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id KAA34851
	for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 10:54:22 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv.nec.co.jp (mailsv-le1 [192.168.1.90])
	by TYO9.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id KAA16018
	for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 10:54:21 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP
	id KAA04936 for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 10:54:20 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id KAA06828 for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 10:48:45 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e5M1sI057810;
	Thu, 22 Jun 2000 10:54:19 +0900 (JST)
Message-Id: <200006220154.e5M1sI057810@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 22 Jun 2000 10:54:18 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 157
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7473
Subject: [doc-jp 7473] FreeBSD-SA-00:23
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

announce, announce-jp, freebsd-security $B$N$I$3$K$bN.$l$F$$$J$$$h$&$J5$(B
$B$,$9$k$s$@$1$I!"8x3+$5$l$^$7$?$N$G$H$j$"$($:(B doc-jp $B$KN.$7$F$*$-$^$9!#(B

$B%*%j%8%J%k$G;D$k7gHV$O(B FreeBSD-SA-00:24$B!#(B

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:23                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:		Remote denial-of-service in IP stack

Category:	core
Module:		kernel
Announced:	2000-06-19
Affects:	FreeBSD systems prior to the correction date
Credits:	NetBSD Security Advisory 2000-002, and
		Jun-ichiro itojun Hagino <itojun@kame.net>
Corrected:	(Several bugs fixed, the date below is that of the most
		recent fix)
		2000-06-08 (3.4-STABLE)
		2000-06-08 (4.0-STABLE)
		2000-06-02 (5.0-CURRENT)
FreeBSD only:	NO

I.   Background

II.  Problem Description

There are several bugs in the processing of IP options in the FreeBSD
IP stack, which fail to correctly bounds-check arguments and contain
other coding errors leading to the possibility of data corruption and
a kernel panic upon reception of certain invalid IP packets.

This set of bugs includes the instance of the vulnerability described
in NetBSD Security Advisory 2000-002 (see
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc)
as well as other bugs with similar effect.

III. Impact

Remote users can cause a FreeBSD system to panic and reboot.

IV.  Workaround

None available.

V.   Solution

One of the following:

1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or
5.0-CURRENT after the respective correction dates.

2) Apply the patch below and recompile your kernel.

Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system ]

    Index: ip_icmp.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
    retrieving revision 1.39
    diff -u -r1.39 ip_icmp.c
    --- ip_icmp.c	2000/01/28 06:13:09	1.39
    +++ ip_icmp.c	2000/06/08 15:26:39
    @@ -662,8 +662,11 @@
     			    if (opt == IPOPT_NOP)
     				    len = 1;
     			    else {
    +				    if (cnt < IPOPT_OLEN + sizeof(*cp))
    +					    break;
     				    len = cp[IPOPT_OLEN];
    -				    if (len <= 0 || len > cnt)
    +				    if (len < IPOPT_OLEN + sizeof(*cp) ||
    +				        len > cnt)
     					    break;
     			    }
     			    /*
    Index: ip_input.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_input.c,v
    retrieving revision 1.130
    diff -u -r1.130 ip_input.c
    --- ip_input.c	2000/02/23 20:11:57	1.130
    +++ ip_input.c	2000/06/08 15:25:46
    @@ -1067,8 +1067,12 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
    +				code = &cp[IPOPT_OLEN] - (u_char *)ip;
    +				goto bad;
    +			}
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= 0 || optlen > cnt) {
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
     				code = &cp[IPOPT_OLEN] - (u_char *)ip;
     				goto bad;
     			}
    @@ -1174,6 +1178,10 @@
     			break;
     
     		case IPOPT_RR:
    +			if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
    +				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
    +				goto bad;
    +			}
     			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
     				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
     				goto bad;
    Index: ip_output.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_output.c,v
    retrieving revision 1.99
    diff -u -r1.99 ip_output.c
    --- ip_output.c	2000/03/09 14:57:15	1.99
    +++ ip_output.c	2000/06/08 15:27:08
    @@ -1302,8 +1302,10 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp))
    +				goto bad;
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= IPOPT_OLEN || optlen > cnt)
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
     				goto bad;
     		}
     		switch (opt) {
    
 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOU3tLFUuHi5z0oilAQGR8AP/UbWPEYtE9Z5UAlesutOSp6UcHnl+6Gga
nglpEBloBsf81J53nkLbf02rWQedb1BhROL1i+df9J328sCF/Tpci04bmdSAtiox
EwDim4AlTjn4PqjlHyX1jf1mi0sMgxSuI5bBPuiVfsdYRbd96+AEbftfR9BuyqbB
m6dFcBN5+y0=
=A1Fk
-----END PGP SIGNATURE-----

----
$B$3$,$h$&$$$A$m$&(B
