From owner-announce-jp@jp.freebsd.org  Sun Jul 16 09:05:50 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA20145;
	Sun, 16 Jul 2000 09:05:50 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Message-ID: <20000716000548.3095.qmail@smtp.246.ne.jp>
To: announce-jp@jp.FreeBSD.org
Reply-To: doc-jp@jp.freebsd.org
In-Reply-To: <20000711215800.233B237B944@hub.freebsd.org>
References: <20000711215800.233B237B944@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 16 Jul 2000 09:05:33 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: announce-jp 480
Subject: Re: ANNOUNCE: FreeBSD Ports Security Advisory:
 FreeBSD-SA-00:23.ip-options [REVISED]
Errors-To: owner-announce-jp@jp.freebsd.org
Sender: owner-announce-jp@jp.freebsd.org


 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED]
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 11 Jul 2000 14:58:00 -0700 (PDT)
  Message-Id: <20000711215800.233B237B944@hub.freebsd.org>
  X-Sequence: announce-jp 474

 $B$rF|K\8lLu$7$?$b$N$G$9(B. ($BLuCm(B: FreeBSD Ports Security Advisory $B$G$O$J(B
 $B$/!"(BFreeBSD Security Advisory $B$,K\Mh@5$7$$$b$N$G$9(B)

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:23                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	Remote denial-of-service in IP stack [REVISED]

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2000-06-19
$B2~D{F|(B:		2000-07-11
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N(B FreeBSD $B%7%9%F%`(B
$B%/%l%8%C%H(B:	NetBSD Security Advisory 2000-002 $B$*$h$S(B
		Jun-ichiro itojun Hagino <itojun@kame.net>
$B=$@5F|(B:		($B$$$/$D$+$N%P%0$,=$@5$5$l$F$$$k$,(B, $B:G6a$N=$@5F|$O0J2<(B
		$B$N$H$*$j(B)
		2000-06-08 (3.4-STABLE)
		2000-06-08 (4.0-STABLE)
		2000-06-02 (5.0-CURRENT)
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

II.  $BLdBj$N>\:Y(B - Problem Description

FreeBSD $B$N(B IP $B%9%?%C%/$K$*$1$k(B IP $B%*%W%7%g%s$N=hM}$K$O$$$/$D$+$N%P%0$,(B
$BB8:_$7$^$9(B. $B$=$N%P%0$H$O(B, $B6-3&%A%'%C%/$N0z?t$,@5$7$/$J$$$3$H$H(B, $B%3!<%G(B
$B%#%s%0>e$N8m$j$N$?$a$K(B, $BFCDj$NIT@5$J(B IP $B%Q%1%C%H$r<u$1<h$k$H(B, $B%G!<%?$N(B
$BGK2u$d%+!<%M%k%Q%K%C%/$r0z$-5/$3$94m81$,$"$j$^$9(B. 

$B$3$l$i0lO"$N%P%0$K$O(B NetBSD Security Advisory 2000-002
(ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc 
$B;2>H(B) $B$K5-=R$5$l$F$$$k<eE@(B, $B$*$h$S$=$l$H;w$?1F6A$r5Z$\$9JL$N%P%0$,4^$^(B
$B$l$F$$$^$9(B.

III. $B1F6AHO0O(B - Impact

$B%j%b!<%H$N%f!<%6$,(B FreeBSD $B%7%9%F%`$r%Q%K%C%/$5$;$?$j%j%V!<%H$5$;$?$j(B
$B$9$k$3$H$,2DG=$G$9(B. 

IV.  $BBP1~:v(B - Workaround

ipfw(8) $B$r;HMQ$9$k$3$H$G(B, $B6-3&%U%!%$%"%&%)!<%k$d%m!<%+%k%[%9%H>e$G(B, IP 
$B%*%W%7%g%s$r4^$`N.F~%Q%1%C%H$r%V%m%C%/$9$k$3$H$,2DG=$G$9(B (ipf(8) $B$G$b(B 
IP $B%*%W%7%g%s$r4^$`%Q%1%C%H$r%V%m%C%/$9$k$3$H$,2DG=$G$9$,(B, $B$3$3$G$O=R(B
$B$Y$^$;$s(B). 

$B0J2<$N(B ipfw $B$N%k!<%k$G(B, $B%5!<%S%9ITG=967b$rKI$0$3$H$,$G$-$^$9(B ($B$9$G$K(B 
ipfw $B$r;HMQ$7$F$$$k>l9g(B, '100'-'103' $B$N%k!<%kHV9f$O(B, $B%m!<%+%k$N%U%!%$(B
$B%"%&%)!<%k$GE,Ev$J?t;z$KCV$-49$($F$/$@$5$$(B). 

ipfw add 100 deny log ip from any to any ipopt rr
ipfw add 101 deny log ip from any to any ipopt ts
ipfw add 102 deny log ip from any to any ipopt ssrr
ipfw add 103 deny log ip from any to any ipopt lsrr

$BDL>o;HMQ$5$l$k$3$H$O$J$$$G$7$g$&$7(B, $B%V%m%C%/$9$k$3$H$GFC$KLdBj$H$J$k$3(B
$B$H$O$J$$$H;W$$$^$9$,(B, IP $B%*%W%7%g%s$r@5Ev$K;HMQ$9$k$H$$$&$3$H$,$"$jF@(B
$B$k$3$H$KCm0U$,I,MW$G$9(B. $B$7$?$,$C$F(B, $B>e5-$N(B ipfw $B%k!<%k$G@8@.$5$l$k%m%0(B
$B%(%s%H%j$O(B, $BI,$:$7$b967b$,;n$_$i$l$?$H$$$&$3$H$r>ZL@$9$k$o$1$G$O$"$j$^(B
$B$;$s(B. $B$^$?(B, $B%Q%1%C%H$O56B$2DG=$J$b$N$G$"$j(B, $B;OE@%"%I%l%9$r56$C$F$$$k$3(B
$B$H$b9M$($i$l$^$9(B. 

V.   $B=$@5=hCV(B - Solution

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.4-STABLE, 4.0-STABLE, 5.0-CURRENT 
$B$K%"%C%W%0%l!<%I$9$k(B. 

2) $B0J2<$N%Q%C%A$rE,MQ$7(B, $B%+!<%M%k$r:F%3%s%Q%$%k$9$k(B. 

$BK\4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B0J2<$N(B URL $B$+$i%Q%C%A$*$h$S(B PGP $B=pL>$r%@(B
$B%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP $B=pL>$H>H9g$7$^$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ http://www.freebsd.org/handbook/kernelconfig.html $B$K$7$?$,$C$F%+!<%M(B
$B%k$r:F%3%s%Q%$%k$7(B, $B?7$7$$%+!<%M%k$G%j%V!<%H$7$^$9(B. ]

VI.   $B2~D{MzNr(B - Revision History

v1.0  2000-06-19  $B=iHG8x3+(B
v1.1  2000-07-11  ipfw $B$r;HMQ$7$?BP1~:v$rDI2C(B

    Index: ip_icmp.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
    retrieving revision 1.39
    diff -u -r1.39 ip_icmp.c
    --- ip_icmp.c	2000/01/28 06:13:09	1.39
    +++ ip_icmp.c	2000/06/08 15:26:39
    @@ -662,8 +662,11 @@
     			    if (opt == IPOPT_NOP)
     				    len = 1;
     			    else {
    +				    if (cnt < IPOPT_OLEN + sizeof(*cp))
    +					    break;
     				    len = cp[IPOPT_OLEN];
    -				    if (len <= 0 || len > cnt)
    +				    if (len < IPOPT_OLEN + sizeof(*cp) ||
    +				        len > cnt)
     					    break;
     			    }
     			    /*
    Index: ip_input.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_input.c,v
    retrieving revision 1.130
    diff -u -r1.130 ip_input.c
    --- ip_input.c	2000/02/23 20:11:57	1.130
    +++ ip_input.c	2000/06/08 15:25:46
    @@ -1067,8 +1067,12 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
    +				code = &cp[IPOPT_OLEN] - (u_char *)ip;
    +				goto bad;
    +			}
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= 0 || optlen > cnt) {
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
     				code = &cp[IPOPT_OLEN] - (u_char *)ip;
     				goto bad;
     			}
    @@ -1174,6 +1178,10 @@
     			break;
     
     		case IPOPT_RR:
    +			if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
    +				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
    +				goto bad;
    +			}
     			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
     				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
     				goto bad;
    Index: ip_output.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_output.c,v
    retrieving revision 1.99
    diff -u -r1.99 ip_output.c
    --- ip_output.c	2000/03/09 14:57:15	1.99
    +++ ip_output.c	2000/06/08 15:27:08
    @@ -1302,8 +1302,10 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp))
    +				goto bad;
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= IPOPT_OLEN || optlen > cnt)
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
     				goto bad;
     		}
     		switch (opt) {


