Hi everybody, some people asked for pointers to a second opinion on the ipchains vulnerability. This is good practice. Those who asked might want to have a look at http://www.rustcorp.com/linux/ and they will find a patch that is very similar to what we have suggested but is a bit less restrictive (it lets short first fragments pass, if IP_MF is not set). One might argue that this is not enough. Some victim host may be running an operating system that, in order to find out whether an IP datagram is a fragment, does "if (ip_off & ~IP_DF) {...}", thus enabling an attacker to use IP_RF (0x8000) to mark an IP datagram with a zero offset as a fragment. In other words, on some operating systems IP_RF may have the same semantics as IP_MF. 4.4BSD behaves very closely to that, but does not actually fall prey to such an attack (because of a second explicit check for IP_MF later in the code). But we do not know what others do. I opt for not letting anything through that has a zero offset and is too short to contain a complete transport level header, i.e. for the fix that was given in our advisory. Have a nice day -Thomas - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
