COMMAND

    ANS Interlock Internet Firewall

SYSTEMS AFFECTED

    Solaris

PROBLEM

    ANS provided  following information.   There is  a problem  in the
    TCP/IP  stack  of  ANS's  Interlock  Internet  Firewall   product.
    Sending  the  correct  series  of  packet fragments will cause the
    machine to reboot.  Below is part of their advisory.

    The 1st fragment contains all (or most) of the packets payload and
    it incorrectly indicates that  no other fragments are  coming (the
    IP more fragment  field is not  set).  The  next fragment is  sent
    with a zero length and uses the same packet identifier (indicating
    its another part  of the earlier  packet).  This  packet also does
    not indicate that more fragments are coming.  The result is a zero
    length fragment arrives at the InterLock and gets processed by the
    Solaris  fragment  handling  code.   Unfortunately,  the   Solaris
    fragment timeout  handling code  (which gets  involved 60  seconds
    later) doesnt  properly handle  the zero  length fragment  and its
    panics the box during cleanup.

SOLUTION

    A patch is available.