FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pf -- IP fragment handling panic

Affected systems
6.0 < FreeBSD < 6.0_4
5.4 < FreeBSD < 5.4_10
5.3 < FreeBSD < 5.3_25

Details

VuXML ID 52ba7713-9d42-11da-8c1d-000e0c2e438a
Discovery 2006-01-25
Entry 2006-02-14
Modified 2006-06-09

Problem description:

A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant.

Impact:

By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.

Workaround:

Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details.

Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue.

References

CVE Name CVE-2006-0381
FreeBSD Advisory SA-06:07.pf