From owner-doc-jp@jp.freebsd.org  Mon Jul 10 22:43:41 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id WAA20451;
	Mon, 10 Jul 2000 22:43:41 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp02.246.ne.jp (smtp02.246.ne.jp [210.253.192.36])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id WAA20443
	for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 22:43:36 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 19714 invoked by alias); 10 Jul 2000 22:43:28 +0900
Message-ID: <20000710134328.19713.qmail@smtp.246.ne.jp>
Received: (qmail 19693 invoked from network); 10 Jul 2000 22:43:26 +0900
Received: from tp4hr173.246.ne.jp (HELO localhost) (210.253.193.173)
  by smtp.246.ne.jp with SMTP; 10 Jul 2000 22:43:26 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org>
References: <20000622215052.D642E37BF12@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Mon, 10 Jul 2000 22:44:50 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7517
Subject: [doc-jp 7517] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:23.ip-options
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B$^$@$?$/$5$s$"$j$^$9$M!D(B

$B;D$j(B:
FreeBSD-SA-00:24
FreeBSD-SA-00:26
FreeBSD-SA-00:27
FreeBSD-SA-00:28
FreeBSD-SA-00:30
FreeBSD-SA-00:31
FreeBSD-SA-00:32

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Thu, 22 Jun 2000 14:50:52 -0700 (PDT)
  Message-Id: <20000622215052.D642E37BF12@hub.freebsd.org>
  X-Sequence: announce-jp 462

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:23                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:		Remote denial-of-service in IP stack

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2000-06-19
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N(B FreeBSD $B%7%9%F%`(B
$B%/%l%8%C%H(B:	NetBSD Security Advisory 2000-002 $B$*$h$S(B
		Jun-ichiro itojun Hagino <itojun@kame.net>
$B=$@5F|(B:		($B$$$/$D$+$N%P%0$,=$@5$5$l$F$$$k$,!"0J2<$NF|IU$,(B
		$B$b$C$H$b:G6a$N=$@5F|$G$"$k(B)
		2000-06-08 (3.4-STABLE)
		2000-06-08 (4.0-STABLE)
		2000-06-02 (5.0-CURRENT)
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

$B!t$J$$$>!<(B

II.  $BLdBj$N>\:Y(B - Problem Description

There are several bugs in the processing of IP options in the FreeBSD
IP stack, which fail to correctly bounds-check arguments and contain
other coding errors leading to the possibility of data corruption and
a kernel panic upon reception of certain invalid IP packets.

FreeBSD $B$N(B IP $B%9%?%C%/$K$*$1$k(B IP $B%*%W%7%g%s$N=hM}$K$O$$$/$D$+$N%P%0$,(B
$B$"$j$^$9(B. $B6-3&%A%'%C%/$N0z?t$,@5$7$/$J$/(B, $BB>$K$b%3!<%G%#%s%0>e$N4V0c$$(B
$B$,$"$k$?$a(B, $B$"$kIT@5$J(B IP $B%Q%1%C%H$r<u$1<h$k$H(B, $B%G!<%?$,GK2u$5$l$?$j(B, 
$B%+!<%M%k$,%Q%K%C%/$7$?$j$9$k4m81$,$"$j$^$9(B. 

This set of bugs includes the instance of the vulnerability described
in NetBSD Security Advisory 2000-002 (see
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc)
as well as other bugs with similar effect.

$B$3$l$i$N%P%0$K$O(B NetBSD Security Advisory 2000-002
(ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc 
$B;2>H(B) $B$K5-=R$5$l$F$$$k<eE@$,4^$^$l$F$$$^$9(B, $B$^$?B>$N%P%0$b;w$?$h$&$J(B
$B1F6A$,$"$j$^$9(B. 

$B!t$"$C$F$$$k$h$&$J0c$C$F$$$k$h$&$JLu$@$J!#(B

III. $B1F6AHO0O(B - Impact

Remote users can cause a FreeBSD system to panic and reboot.

$B%j%b!<%H$N%f!<%6$,(B FreeBSD $B%7%9%F%`$r%Q%K%C%/$5$;$?$j%j%V!<%H$5$;$?$j(B
$B$9$k$3$H$,2DG=$G$9(B. 

IV.  $BBP1~:v(B - Workaround

None available.

$B$"$j$^$;$s(B. 

V.   $B=$@5=hCV(B - Solution

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or
5.0-CURRENT after the respective correction dates.

1) $B$4;HMQ$N(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.4-STABLE, 4.0-STABLE,
5.0-CURRENT $B$K%"%C%W%0%l!<%I$9$k(B. 

2) Apply the patch below and recompile your kernel.

2) $B0J2<$N%Q%C%A$rE,MQ$7(B, $B%+!<%M%k$r:F%3%s%Q%$%k$9$k(B. 

Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.

$BK\4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B0J2<$N(B URL $B$+$i%Q%C%A$*$h$SJL%U%!%$%k$K(B
$B$J$C$F$$$k(B PGP $B=pL>$r%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP 
$B=pL>$H>H9g$7$^$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system ]

[ http://www.freebsd.org/handbook/kernelconfig.html $B$K$7$?$,$C$F%+!<%M(B
$B%k$r:F%3%s%Q%$%k$7(B, $B?7$7$$%+!<%M%k$G%j%V!<%H$7$^$9(B. ]

    Index: ip_icmp.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
    retrieving revision 1.39
    diff -u -r1.39 ip_icmp.c
    --- ip_icmp.c	2000/01/28 06:13:09	1.39
    +++ ip_icmp.c	2000/06/08 15:26:39
    @@ -662,8 +662,11 @@
     			    if (opt == IPOPT_NOP)
     				    len = 1;
     			    else {
    +				    if (cnt < IPOPT_OLEN + sizeof(*cp))
    +					    break;
     				    len = cp[IPOPT_OLEN];
    -				    if (len <= 0 || len > cnt)
    +				    if (len < IPOPT_OLEN + sizeof(*cp) ||
    +				        len > cnt)
     					    break;
     			    }
     			    /*
    Index: ip_input.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_input.c,v
    retrieving revision 1.130
    diff -u -r1.130 ip_input.c
    --- ip_input.c	2000/02/23 20:11:57	1.130
    +++ ip_input.c	2000/06/08 15:25:46
    @@ -1067,8 +1067,12 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
    +				code = &cp[IPOPT_OLEN] - (u_char *)ip;
    +				goto bad;
    +			}
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= 0 || optlen > cnt) {
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
     				code = &cp[IPOPT_OLEN] - (u_char *)ip;
     				goto bad;
     			}
    @@ -1174,6 +1178,10 @@
     			break;
     
     		case IPOPT_RR:
    +			if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
    +				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
    +				goto bad;
    +			}
     			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
     				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
     				goto bad;
    Index: ip_output.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_output.c,v
    retrieving revision 1.99
    diff -u -r1.99 ip_output.c
    --- ip_output.c	2000/03/09 14:57:15	1.99
    +++ ip_output.c	2000/06/08 15:27:08
    @@ -1302,8 +1302,10 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp))
    +				goto bad;
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= IPOPT_OLEN || optlen > cnt)
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
     				goto bad;
     		}
     		switch (opt) {
    
 
END--------------------- $B$3$3$^$G(B ------------------------
----
$B$3$,$h$&$$$A$m$&(B
