From owner-doc-jp@jp.freebsd.org  Thu Jul 13 18:47:03 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id SAA92015;
	Thu, 13 Jul 2000 18:47:03 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO9.gate.nec.co.jp (TYO9.gate.nec.co.jp [202.32.8.214])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id SAA92008
	for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 18:47:03 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv.nec.co.jp (mailsv-le1 [192.168.1.90])
	by TYO9.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id SAA04878
	for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 18:47:02 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP
	id SAA16429 for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 18:47:01 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id SAA21479 for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 18:40:51 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e6D9kxR18525;
	Thu, 13 Jul 2000 18:46:59 +0900 (JST)
Message-Id: <200007130946.e6D9kxR18525@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000710134328.19713.qmail@smtp.246.ne.jp>
References: <20000622215052.D642E37BF12@hub.freebsd.org>
	<20000710134328.19713.qmail@smtp.246.ne.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 13 Jul 2000 18:46:58 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 239
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7537
Subject: [doc-jp 7537] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:23.ip-options
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B:4F#$5$s$N%3%a%s%H$rE,Ev$K<h$jF~$l!"(B[REVISED] $B$rH?1G$5$;$^$7$?!#(B

$BGX7J$O$J$/$F$$$$$N$+$J$!!D(B

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-00:23.ip-options [REVISED]
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 11 Jul 2000 14:58:00 -0700 (PDT)
  Message-Id: <20000711215800.233B237B944@hub.freebsd.org>
  X-Sequence: announce-jp 474

 $B$rF|K\8lLu$7$?$b$N$G$9(B. ($BLuCm(B: FreeBSD Ports Security Advisory $B$G$O$J(B
 $B$/!"(BFreeBSD Security Advisory $B$,K\Mh@5$7$$$b$N$G$9(B)

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:23                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	Remote denial-of-service in IP stack [REVISED]

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2000-06-19
$B2~D{F|(B:		2000-07-11
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N(B FreeBSD $B%7%9%F%`(B
$B%/%l%8%C%H(B:	NetBSD Security Advisory 2000-002 $B$*$h$S(B
		Jun-ichiro itojun Hagino <itojun@kame.net>
$B=$@5F|(B:		($B$$$/$D$+$N%P%0$,=$@5$5$l$F$$$k$,(B, $B0J2<$NF|IU$,(B
		$B$b$C$H$b:G6a$N=$@5F|$G$"$k(B)
		2000-06-08 (3.4-STABLE)
		2000-06-08 (4.0-STABLE)
		2000-06-02 (5.0-CURRENT)
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

$B!t$J$$$>!<(B

II.  $BLdBj$N>\:Y(B - Problem Description

There are several bugs in the processing of IP options in the FreeBSD
IP stack, which fail to correctly bounds-check arguments and contain
other coding errors leading to the possibility of data corruption and
a kernel panic upon reception of certain invalid IP packets.

FreeBSD $B$N(B IP $B%9%?%C%/$K$*$1$k(B IP $B%*%W%7%g%s$N=hM}$K$O$$$/$D$+$N%P%0$,(B
$BB8:_$7$^$9(B. $B$=$N%P%0$H$O!"6-3&%A%'%C%/$N0z?t$,@5$7$/$J$$$3$H$H(B, $B%3!<%G(B
$B%#%s%0>e$N8m$j$N$?$a$K!"FCDj$NIT@5$J(B IP $B%Q%1%C%H$r<u$1<h$k$H(B, $B%G!<%?$,(B
$BGK2u$d%+!<%M%k%Q%K%C%/$r0z$-5/$3$94m81$,$"$j$^$9!#(B

This set of bugs includes the instance of the vulnerability described
in NetBSD Security Advisory 2000-002 (see
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc)
as well as other bugs with similar effect.

$B$3$l$i0lO"$N%P%0$K$O(B NetBSD Security Advisory 2000-002
(ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc 
$B;2>H(B) $B$K5-=R$5$l$F$$$k<eE@!"$*$h$S$=$l$H;w$?1F6A$r5Z$\$9JL$N%P%0$b4^$^(B
$B$l$F$$$^$9(B.

III. $B1F6AHO0O(B - Impact

Remote users can cause a FreeBSD system to panic and reboot.

$B%j%b!<%H$N%f!<%6$,(B FreeBSD $B%7%9%F%`$r%Q%K%C%/$5$;$?$j%j%V!<%H$5$;$?$j(B
$B$9$k$3$H$,2DG=$G$9(B. 

IV.  $BBP1~:v(B - Workaround

Incoming packets containing IP Options can be blocked at a perimeter
firewall or on the local system, using ipfw(8) (ipf(8) is also capable
of blocking packets with IP Options, but is not described here).

ipfw(8) $B$r;HMQ$9$k$3$H$G!"6-3&%U%!%$%"%&%)!<%k$d%m!<%+%k%[%9%H>e$G!"(BIP 
$B%*%W%7%g%s$r4^$`N.F~%Q%1%C%H$r%V%m%C%/$9$k$3$H$,2DG=$G$9(B (ipf(8) $B$G$b(B 
IP $B%*%W%7%g%s$r4^$`%Q%1%C%H$r%V%m%C%/$9$k$3$H$,2DG=$G$9$,!"$3$3$G$O=R(B
$B$Y$^$;$s(B)$B!#(B

The following ipfw rules are believed to prevent the denial-of-service
attack (replace the rule numbers '100'-'103' with whichever rule
numbers are appropriate for your local firewall, if you are already
using ipfw):

$B0J2<$N(B ipfw $B$N%k!<%k$G!"%5!<%S%9ITG=967b$rKI$0$3$H$,$G$-$k$G$7$g$&(B 
($B$9$G$K(B ipfw $B$r;HMQ$7$F$$$k>l9g!"(B'100'-'103' $B$N%k!<%kHV9f$O!"%m!<%+%k(B
$B$N%U%!%$%"%&%)!<%k$GE,Ev$J?t;z$KCV$-49$($F$/$@$5$$(B)$B!#(B

ipfw add 100 deny log ip from any to any ipopt rr
ipfw add 101 deny log ip from any to any ipopt ts
ipfw add 102 deny log ip from any to any ipopt ssrr
ipfw add 103 deny log ip from any to any ipopt lsrr

Note that there are legitimate uses for IP options, although they are
no believed to be in common use, and blocking them should not cause
any problems. Therefore the log entries generated by these ipfw rules
will not necessarily be evidence of an attempted attack. Furthermore,
the packets may be spoofed and have falsified source addresses.

$BDL>o;HMQ$5$l$k$3$H$O$J$$$G$7$g$&$7!"%V%m%C%/$9$k$3$H$GFC$KLdBj$H$J$k$3(B
$B$H$O$J$$$H;W$$$^$9$,!"(BIP $B%*%W%7%g%s$r@5Ev$K;HMQ$9$k$H$$$&$3$H$,$"$jF@(B
$B$k$3$H$KCm0U$7$F$/$@$5$$!#$7$?$,$C$F!">e5-$N(B ipfw $B%k!<%k$G@8@.$5$l$k%m(B
$B%0%(%s%H%j$O!"I,$:$7$b967b$,;n$_$i$l$?$H$$$&$3$H$r>ZL@$9$k$o$1$G$O$"$j(B
$B$^$;$s!#$5$i$K!"%Q%1%C%H$O56B$2DG=$J$b$N$G$"$j!";OE@%"%I%l%9$r56$C$F$$(B
$B$k$3$H$b9M$($i$l$^$9!#(B

V.   $B=$@5=hCV(B - Solution

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or
5.0-CURRENT after the respective correction dates.

1) $B$4;HMQ$N(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.4-STABLE, 4.0-STABLE,
5.0-CURRENT $B$K%"%C%W%0%l!<%I$9$k(B. 

2) Apply the patch below and recompile your kernel.

2) $B0J2<$N%Q%C%A$rE,MQ$7(B, $B%+!<%M%k$r:F%3%s%Q%$%k$9$k(B. 

Either save this advisory to a file, or download the patch and
detached PGP signature from the following locations, and verify the
signature using your PGP utility.

$BK\4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B0J2<$N(B URL $B$+$i%Q%C%A$*$h$SJL%U%!%$%k$K(B
$B$J$C$F$$$k(B PGP $B=pL>$r%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP 
$B=pL>$H>H9g$7$^$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system ]

[ http://www.freebsd.org/handbook/kernelconfig.html $B$K$7$?$,$C$F%+!<%M(B
$B%k$r:F%3%s%Q%$%k$7(B, $B?7$7$$%+!<%M%k$G%j%V!<%H$7$^$9(B. ]

VI.   $B2~D{MzNr(B - Revision History

v1.0  2000-06-19  Initial release
v1.1  2000-07-11  Note workaround using ipfw.

v1.0  2000-06-19  $B=iHG8x3+(B
v1.1  2000-07-11  ipfw $B$r;HMQ$7$?BP1~:v$rDI2C(B

    Index: ip_icmp.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v
    retrieving revision 1.39
    diff -u -r1.39 ip_icmp.c
    --- ip_icmp.c	2000/01/28 06:13:09	1.39
    +++ ip_icmp.c	2000/06/08 15:26:39
    @@ -662,8 +662,11 @@
     			    if (opt == IPOPT_NOP)
     				    len = 1;
     			    else {
    +				    if (cnt < IPOPT_OLEN + sizeof(*cp))
    +					    break;
     				    len = cp[IPOPT_OLEN];
    -				    if (len <= 0 || len > cnt)
    +				    if (len < IPOPT_OLEN + sizeof(*cp) ||
    +				        len > cnt)
     					    break;
     			    }
     			    /*
    Index: ip_input.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_input.c,v
    retrieving revision 1.130
    diff -u -r1.130 ip_input.c
    --- ip_input.c	2000/02/23 20:11:57	1.130
    +++ ip_input.c	2000/06/08 15:25:46
    @@ -1067,8 +1067,12 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp)) {
    +				code = &cp[IPOPT_OLEN] - (u_char *)ip;
    +				goto bad;
    +			}
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= 0 || optlen > cnt) {
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
     				code = &cp[IPOPT_OLEN] - (u_char *)ip;
     				goto bad;
     			}
    @@ -1174,6 +1178,10 @@
     			break;
     
     		case IPOPT_RR:
    +			if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
    +				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
    +				goto bad;
    +			}
     			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
     				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
     				goto bad;
    Index: ip_output.c
    ===================================================================
    RCS file: /ncvs/src/sys/netinet/ip_output.c,v
    retrieving revision 1.99
    diff -u -r1.99 ip_output.c
    --- ip_output.c	2000/03/09 14:57:15	1.99
    +++ ip_output.c	2000/06/08 15:27:08
    @@ -1302,8 +1302,10 @@
     		if (opt == IPOPT_NOP)
     			optlen = 1;
     		else {
    +			if (cnt < IPOPT_OLEN + sizeof(*cp))
    +				goto bad;
     			optlen = cp[IPOPT_OLEN];
    -			if (optlen <= IPOPT_OLEN || optlen > cnt)
    +			if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
     				goto bad;
     		}
     		switch (opt) {


END--------------------- $B$3$3$^$G(B ------------------------
----
$B$3$,$h$&$$$A$m$&(B
