First page Back Continue Last page Summary Graphics

Packet Fragmentation - Teardrop

(frag2->ip_off + frag2->ip_len) - ip->ip_off
((5*8)+40) - (15*8) = -40
Maximum IP packet is 65535 bytes
Without bounds checking, the packet reassembly code attempts to copy -40 bytes - a very large (unsigned) number of bytes. The operating system crashes.

Notes:

After copying frag1 into the buffer:
ip->ip_offset = frag1->ip_len;
ip->ip_len -= frag1->ip_len

I = (frag2->ip_off + frag2->ip_len) - ip->ip_off
I = (20+40) - 80 = -20 == large unsigned number

For readability, fragment offsets are expressed as byte offsets here.
In reality, fragment offsets are expressed in multiples of 8-byte units.
So offset 1 refers to the 9th byte, offset 5 refers to the 40th byte, offset 10 refers to the 80th byte, etc.

Packet Fragmentation - Teardrop

(frag2->ip_off + frag2->ip_len) - ip->ip_off

((5*8)+40) - (15*8) = -40

Maximum IP packet is 65535 bytes

Without bounds checking, the packet reassembly code attempts to copy -40 bytes - a very large (unsigned) number of bytes. The operating system crashes.

Notes:

((58)+40) - (158) = -40