what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted May 17, 2000

Receipt of IP packets with certain sequences of malformed IP options can cause an unaligned access in kernel mode (on many architectures), or data corruption, resulting in a panic or other problems.

tags | denial of service, kernel
systems | netbsd
SHA-256 | f8cef208a1f568ebde931884c1fb940cb0522fa38fe3d9ecf2661a0913573333


Change Mirror Download

NetBSD Security Advisory 2000-002

Topic: IP options processing Denial of Service
Version: NetBSD 1.4.2 and prior; NetBSD-current until 20000507.
Severity: Network-connected systems can be crashed remotely.


Receipt of IP packets with certain sequences of malformed IP options
can cause an unaligned access in kernel mode (on many architectures),
or data corruption, resulting in a panic or other problems.

There are two problems:

One is the result of an interaction between a relatively new
optimization performed by GCC and a code fragment which violates ANSI
C, as well as insufficient protection of some data structures from
alignment changes by the compiler.

The second problem (uncovered while testing fixes to the first)
involves several incorrect range checks due to a computation involving
a mix of signed and unsigned values.

Either or both of these problems may be present in other
4.4BSD-derived systems.

Technical Details

IP packets can contain optional processing directives, which may be
examined both by the destination system of the packet, as well as by
intermediate routers. These options can be malformed, if constructed
randomly or maliciously. Tools to construct such packets are widely
available and in common use.

1) Alignment problems

The first problem arises because more aggressive optimisations added
in recent compilers made previously marginal code unsafe:

* In ip_input.c, in the code fragment that processes the IP Timestamp
option, an illegal type cast was performed from an unaligned
pointer to something needing more strict alignment; this is
disallowed by the ANSI C standard. This interacted poorly with an
optimization that GCC performed on the code fragment; the compiler
inlined a call to memcpy(), and due to the illegal type cast,
emitted a load-store of a single 32-bit value.

* In ip.h, several structures used to describe over-the-wire data
required "__attribute__((__packed__))" to prevent the compiler
making unwarranted assumptions about the alignment of the

Either of these may cause the kernel to make an unaligned access.
This unaligned access will result in a fault and a panic or other
problems on many architectures:

* It is known to produce alignment fault panics on the alpha, sparc
and sparc64 architectures; others affected may include mips and sh3.

* On some architectures, for example the arm32, misaligned accesses
do not produce faults, instead they produce incorrect data; these
systems will not panic, but instead suffer other problems, such as
exhaustion of the mbuf cluster pool.

* Other platforms, including the i386, m68k, pc532 and vax do not
have alignment checking requirements and so are unaffected by this

Because this involves an interaction with compiler optimisations, its
appearance and behaviour depend on the compiler flags used. For
example, the second problem (ip.h) does not occur when the code is
compiled specifically for Alpha 21164a or higher processors with bwx
extensions; in that case the compiler uses the added byte load/store
instructions and there is no alignment problem. As a result, it took
some additional time for this problem to be found and fixed;
unfortunately this was after the release of NetBSD 1.4.2.

2) Incorrect range-checking

In the course of exhaustively testing the fix and related code, the
second problem cited above was uncovered.

A malformed option can induce the system to overwrite four bytes of
memory near the packet. This may quietly corrupt user data or cause a
crash depending on exactly what is overwritten.

In order to sanity-check incoming messages, range checks of the
following general form were used:

if (off > len - sizeof(...))
goto error;

Because sizeof() yields an unsigned value, C requires "len - sizeof()"
to be computed as an unsigned value. If len is less than the value of
sizeof(), the subtraction silently underflows and yields a large
positive value. As a result, the options processing code may continue
on to overwrite 4 bytes of memory near the packet buffer with one of
its ip addresses.

This problem was detected when internal consistency checks within the
NetBSD pool memory allocator (which are enabled by default) determined
that a free mbuf had been overwritten.

All architectures are vulnerable to this problem. Because of
differences in type sizes and structure layout, the exact offsets
which cause trouble, and therefore the packet contents that can be
used to exploit the problem, will vary from architecture to

Solutions and Workarounds

The fix involves changes to two files. Because part of the fix was
included in NetBSD 1.4.2, different patch files have been made
available for NetBSD 1.4.1 and NetBSD 1.4.2.

For all NetBSD versions, you need to download the source patch, apply
it to your kernel source tree using the patch(1) command, and rebuild,
install the kernel, and reboot. For more information on how to do
this, see:


For NetBSD 1.4.1 (and earlier):

A patch is available which contains changes to ip_input.c and ip.h,
located at:


For NetBSD 1.4.2:

A patch is available which contains changes to ip_input.c and ip.h,
located at:


These changes have been pulled up to the 1.4.x release branch; users
tracking this branch via cvs should update to a source tree dated
20000507 or later.

For NetBSD-current:

NetBSD-current since 20000506 contains all the fixes, and is not
vulnerable. Users of NetBSD-current should upgrade to a source tree
dated 20000507 or later.

Thanks To

Matt Hargett and Erik Fair for discovering and reporting the first
problem, Jason Thorpe for analysing the problem and implementing the
fixes for it, and Bill Sommerfeld for finding and fixing the second

Revision History

2000/02/29 - initial version
2000/03/11 - updated after analysis
2000/05/04 - updated for ip.h changes
2000/05/06 - updated to add range checking bug.

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.

$NetBSD: NetBSD-SA2000-002.txt,v 1.8 2000/05/06 23:33:56 dan Exp $

Version: 2.6.3ia
Charset: noconv

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By