FreeBSD -- ipsec crash or denial of service
The length field of the option header does not count the
size of the option header itself. This causes a problem
when the length is zero, the count is then incremented by
zero, which causes an infinite loop.
In addition there are pointer/offset mistakes in the
handling of IPv4 options.
A remote attacker who is able to send an arbitrary packet,
could cause the remote target machine to crash.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright