III. Impact
By sending carefully crafted sequence of IP packet fragments, a remote
attacker can cause a system running pf with a ruleset containing a
'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.
IV. Workaround
Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules
on systems running pf. In most cases, such rules can be replaced by
'scrub fragment reassemble' rules; see the pf.conf(5) manual page for
All:
Just to clarify on the syntax, since it's not actually mentioned in
pf.conf(5):
Per the PF FAQ, a rule:
"scrub in all" or "scrub all"
Implies "scrub in all fragment reassemble" as a default argument/flags to
"scrub" when not are specified, and none of the other scrubbing options
(no-df, random-id, etc.). This per observation of "pfctl -s all":
$ sudo grep -i scrub /etc/pf.conf
scrub in all
$ sudo pfctl -s all | grep -i scrub
scrub in all fragment reassemble
Correct?
To the credit of the FAQ Author, it does state "This is the default
behavior when no fragment option is specified." ... but that still begs
the question: "What are the default scrubbing options, other than fragment
reassembly, when none are specified?"
Might be useful to mention these things in the FAQ and the advisory.
TIA,
~lava
more details.
Systems which do not use pf, or use pf but do not use the aforementioned
rules, are not affected by this issue.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
