There is a nasty bug whereby AIX, Digital Unix, Linux and possibly some
other systems can be brought down remotely by a suitably constructed
oversize packet. Unfortunately a bug in another well known PC operating
system means its easy to generate such packets.

** This bug is being actively exploited on the internet against all the
** mentioned systems. This fix should be considered essential as should
** other equivalent vendor fixes


The bug can be exploited as simply as;

 'ping -l 65510 host.running.linux'

The following Linux fix drops such faulty frames and will also be included
in 2.0.2 

- --- ip_fragment.c.old   Mon Sep 16 22:14:52 1996
+++ ip_fragment.c       Sat Oct 19 01:04:47 1996
@@ -366,7 +366,7 @@
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment
over size.\n"));
                        ip_free(qp);
- -                       frag_kfree_skb(skb,FREE_WRITE);
+                       kfree_skb(skb,FREE_WRITE);
                        ip_statistics.IpReasmFails++;
                        return NULL;
                }
@@ -466,6 +466,18 @@
                        return NULL;
                }
        }
+
+       /*
+        *      Attempt to construct an oversize packet.
+        */
+
+       if(ntohs(iph->tot_len)+(int)offset>65535)
+       {
+               skb->sk = NULL;
+               frag_kfree_skb(skb, FREE_READ);
+               ip_statistics.IpReasmFails++;
+               return NULL;
+       }

        /*
         *      Determine the position of this fragment.