A variety of systems based on the Ugen firewall code (FreeBSD/Linux probably NetBSD) are vulnerable to the following reported attack: Send an IP fragment 0 acceptable to the firewall Send an IP fragment at offset 8 to rewrite most of the header and all the data For Linux at least the IP header should not be vulnerable to overwriting because of the way the fragment merging is done. The following is a provisonal not very tested fix (I only found out about the bug 30 minutes ago). Linux is only vulnerable to tcp/udp header overwriting so host level blocking is unaffected. Because the Ugen firewall is virtually PD a variety of low end routers seem to use it and may also be affected. I will be issuing a tested fix to Linus for 1.2.14 once he returns from sunning himself. [This fix is of course GPL'd and Linux but the BSD fix should be similar and obvious] --- ip_fw.c Thu Jun 29 17:18:52 1995 +++ /tmp/ip_fw.c Wed Aug 23 10:11:22 1995 @@ -209,6 +209,30 @@ */ frag1 = ((ntohs(ip->frag_off) & IP_OFFSET) == 0); + + /* + * Stop any lead fragment attacks (eg sending the IP header + * and then overwriting it with a new fragment). The fragmenter + * works correctly to stop the rest of this attack. + */ + + if(frag1) + { + switch(ip->protocol) + { + case IPPROTO_UDP: + if(ip->ihl<<2+sizeof(struct udphdr) + >ntohs(ip->tot_len)) + return 0; + break; + case IPPROTO_TCP: + if(ip->ihl<<2+sizeof(struct udphdr) + >ntohs(ip->tot_len)) + return 0; + break; + } + } + if (!frag1 && (opt != 1) && (ip->protocol == IPPROTO_TCP || ip->protocol == IPPROTO_UDP)) return(1);