Re: Anyone seeing ping corruption?

[Masataka Ohta <mohta () necom830 hpcl titech ac jp>]

 Valdis Klētnieks wrote:

> > Are there even enough dialup connections and ancient modems left that POD
> > is a thing anyone needs to worry about?
>
> It wasn't just dialup and modems.  The Ping of Death had to do with sending
> a packet that was already 64K in size, that would require an ICMP response that
> would try to include the entire packet - corrupting the memory following the
> buffer the response was built in. Lots of ethernet-connected Windows systems
> got BSOD'd that way.

No, an ICMP echo reply does not include the entire request packets but
can be constructed by rewriting several fields of the request without
needing extra memory.

But, if a request packet size is just 64K or a little larger than that,
which is a invalid packet after reassembly, its fragments may be sent
as, with improper check by receivers, valid fragments, reassembly of
which will cause buffer overflow.

Another possibility of DOS by sending large ICMP echo requests should
be that they require tens of fragmentation reassembly, which consumes
a lot of resource of receivers especially when some fragments are
missed (maybe intentionally by senders) because fragmentation reassembly
buffers won't be released unless all the fragments are received and
reassembled.

                                                Masataka Ohta