FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options | Linux Today

FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options

Written By
Web Webster
Web Webster
Jun 27, 2000

Date: Thu, 22 Jun 2000 14:50:52 -0700
From: FreeBSD Security Advisories
security-advisories@freebsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options


FreeBSD-SA-00:23                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          Remote denial-of-service in IP stack

Category:       core
Module:         kernel
Announced:      2000-06-19
Affects:        FreeBSD systems prior to the correction date
Credits:        NetBSD Security Advisory 2000-002, and
                Jun-ichiro itojun Hagino 
Corrected:      (Several bugs fixed, the date below is that of the most
                recent fix)
                2000-06-08 (3.4-STABLE)
                2000-06-08 (4.0-STABLE)
                2000-06-02 (5.0-CURRENT)
FreeBSD only:   NO

I. Background

II. Problem Description

There are several bugs in the processing of IP options in the
FreeBSD IP stack, which fail to correctly bounds-check arguments
and contain other coding errors leading to the possibility of data
corruption and a kernel panic upon reception of certain invalid IP
packets.

This set of bugs includes the instance of the vulnerability
described in NetBSD Security Advisory 2000-002 (see
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc
)
as well as other bugs with similar effect.

III. Impact

Remote users can cause a FreeBSD system to panic and reboot.

IV. Workaround

None available.

V. Solution

One of the following:

1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or
5.0-CURRENT after the respective correction dates.

2) Apply the patch below and recompile your kernel.

Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.


ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff


ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html
and reboot the system ]

    Index: ip_icmp.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
    retrieving revision 1.39
    diff -u -r1.39 ip_icmp.c
    --- ip_icmp.c       2000/01/28 06:13:09     1.39
    +++ ip_icmp.c       2000/06/08 15:26:39
    @@ -662,8 +662,11 @@
                            if (opt == IPOPT_NOP)
                                    len = 1;
                            else {
    +                               if (cnt < IPOPT_OLEN + sizeof(*cp))
    +                                       break;
                                    len = cp[IPOPT_OLEN];
    -                               if (len <= 0 || len > cnt)
    +                               if (len < IPOPT_OLEN + sizeof(*cp) ||
    +                                   len > cnt)
                                            break;
                            }
                            /*
    Index: ip_input.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_input.c,v
    retrieving revision 1.130
    diff -u -r1.130 ip_input.c
    --- ip_input.c      2000/02/23 20:11:57     1.130
    +++ ip_input.c      2000/06/08 15:25:46
    @@ -1067,8 +1067,12 @@
                if (opt == IPOPT_NOP)
                        optlen = 1;
                else {
    +                   if (cnt < IPOPT_OLEN + sizeof(*cp)) {
    +                           code = &cp[IPOPT_OLEN] - (u_char *)ip;
    +                           goto bad;
    +                   }
                        optlen = cp[IPOPT_OLEN];
    -                   if (optlen <= 0 || optlen > cnt) {
    +                   if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
                                code = &cp[IPOPT_OLEN] - (u_char *)ip;
                                goto bad;
                        }
    @@ -1174,6 +1178,10 @@
                        break;

                case IPOPT_RR:
    +                   if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
    +                           code = &cp[IPOPT_OFFSET] - (u_char *)ip;
    +                           goto bad;
    +                   }
                        if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
                                code = &cp[IPOPT_OFFSET] - (u_char *)ip;
                                goto bad;
    Index: ip_output.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_output.c,v
    retrieving revision 1.99
    diff -u -r1.99 ip_output.c
    --- ip_output.c     2000/03/09 14:57:15     1.99
    +++ ip_output.c     2000/06/08 15:27:08
    @@ -1302,8 +1302,10 @@
                if (opt == IPOPT_NOP)
                        optlen = 1;
                else {
    +                   if (cnt < IPOPT_OLEN + sizeof(*cp))
    +                           goto bad;
                        optlen = cp[IPOPT_OLEN];
    -                   if (optlen <= IPOPT_OLEN || optlen > cnt)
    +                   if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
                                goto bad;
                }
                switch (opt) {
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.