[This followup was posted to comp.security.unix and a copy was sent to
the cited author.]
Quote:> (I think this has been fixed in certain versions of ping, or I'm wrong
> about what you can send.. I just tried it on my RedHat system and it
> doesn't like anything bigger than 65468 bytes... Anyway...)
To my knowledge very few "vanilla" pings shipped with Un*x`s, follow the
IPv4 standard which means that you cannot send a ping of 65510 bytes, it
gets rejected in preference for a standard ping packet size.
The main reason the "Ping of death" caused problems, was that un*x`s
didn`t check the size of the recieved Datagram, and copied the payload
into a *PRE-SIZED* buffer, then inline with the ICMP Echo request spec,
this packet is copied WITH IP headers into a new IP frame for
transmission back to the originator, this *REPLY* packet exceeds the
buffer, and in the good ol` unix tradition, you get a overrun, into
kernel space, causing an amazing variety of problems ....
> > Ok, a summary of what I know.
> > 1) The maximum size of the IP datagram is 65535 bytes.
> > 2) A ping -l 65510 causes some unix systems to crash because the 65510
> > bytes of data AND the IP header exceeds 65535 by a few bytes.
The IP packet size is 65535, the problem is caused elsewhere in the ping
process...... read below
> > What I'm saying is that if the maximum size can be exceeded by a few
> > bytes and cause an overflow, whats stoping it from being exceeded by
> > a few thousand bytes?
> > The ping -l 65510 exploit works because it and the IP header exceeds
> > 65535 bytes. This means this maximum size can be exceeded! Yet the
> > existance of a maximum size is the reason people are saying a ping -l
> > 100000 won't work? I'm confused...
> > Regards,
> > Rob
The ICMP echo request sequence of action on receipt is:
1> Copy entire recieved IP "ping" packet to Memory, (pre allocated 65535
2> Setup a response packet (pre allocated 65535 bytes)
3> Copy entire received "Ping" packet (with IP headers !!) to response
4> Memory overrun.....
5> Behave strangely......
This adherence to the Letter of the ping spec has now been fixed by most
flavours of unix, (has wonderfull affects on Windoze 3.1 boxes if sent to
broadcast tho..), in fact recent versions of Linux / FreeBSD log these,
with originator addresses !!
Hope this helps explain the above and why a 1Mb ping would simply be
rejected, AND NOT proccessed.... if you don`t believe me try it !!!
------------------ signature start ------------------
London. UK | "Do, or do not, there is no try" Yoda
The views represented within this message our mine, and
mine alone, they do not represent those of my employer,
or indeed anyone else I know... so there !! :-)