> So David how do you create a buffer overflow condition on this
> router? Hmm?
Send an oversize packet to one of its interfaces, I expect, just as
one does with any other kind of net-connected computer.
> And Dave which counter got a bad value?
If you've *ever* worked at the assembler/machine-language level on
any mainstream CPU architecture, you will have been introduced to a
register (or register-pair) called the "program counter", which
contains the address of the next instruction to be executed.
Most instructions include, as a side-effect, incrementing this
register by an appropriate amount. JUMP instructions overwrite the
register contents with a new address. CALL instructions save the old
address to the stack first, and RETURN instructions pop a value from
the stack which is *supposed* to have been saved there by a CALL.
1. Exploitable buffer overflows typically involve a buffer allocated
on the stack, so that the overflow corrupts the return address.
2. "Bus error" is how several of the CPUs Cisco has used signal that
they have tried to access memory using an address that is invalid
because it is not properly aligned.
Dave's suggestion is that the bad address could have been the
program counter value. My elaboration is that a bad program counter
value could be the result of stack corruption caused by a buffer
overflow.
David Gillett
On 12 Jun 2001, at 10:14, Brian Ford wrote:
> So David how do you create a buffer overflow condition on this router? Hmm?
>
> And Dave which counter got a bad value?
>
> This message is more likely to mean that a power spike or static discharge
> occurred on the serial interface that caused the router to reset.
>
> Gerado did the router reboot successfully? Is it operating now? How long
> has this router been in place and on this circuit? Do you have syslog data
> showing any hardware or software problems before the reboot?
>
> The reality is your router hiccuped. If it starts happening regularly you
> should look at putting it on a UPS, talk to your carrier about checking or
> adding ESD/spike protection to the circuit , or call the Cisco TAC (if you
> are on maintenance) about swapping the router.
>
> Fear, Uncertainty, and Doom at it's finest.
>
> Regards,
>
> Brian
>
> At 08:59 AM 6/12/2001 +0000, Firewalls-Digest wrote:
> >Date: Tue, 12 Jun 2001 01:03:19 -0700
> >From: [EMAIL PROTECTED]
> >Subject: Re: cisco reboot
> >
> > > Technically, it means the program counter got an illegal address
> > > in it.
> >
> > One of the ways this could happen is via a buffer overflow, which
> >may potentially be exploitable (although exploiting it will be much
> >harder than making it bus error).
> >
> >David Gillett
> >
> >
> >On 12 Jun 2001, at 12:59, Dave Horsfall wrote:
> >
> > > On Mon, 11 Jun 2001, Gerardo Soto wrote:
> > >
> > > > "System restarted by bus error at PC 0x30C5BD4, address 0xE24230"
> > >
> > > Almost certainly a hardware/software fault; report it to your vendor.
> > >
> > > > What does bus error mean ? I would deeply appreciate any light regarding
> > > > this matter.
> > >
> > > Technically, it means the program counter got an illegal address in it.
> > >
> > > --
> > > Dave Horsfall CL VK2KFU [EMAIL PROTECTED] Ph: +61 2 9906 3377 Fx: *
> > 9906 3468
> > > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065,
> > Australia
> > >
> > > -
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
