QNX Technical Articles
QNX® Momentics® Development Suite 6.3.0 SP3 or 6.3.2 TCP/IP Vulnerability (CERT VU#110947) Patch (Patch ID 933) Release Notes
Date of this edition: February 04, 2008
Target OS: This patch is compatible with targets that are running QNX® Neutrino® 6.3.0 SP3 or 6.3.2.
Host OS: In order to apply this patch, you must have installed QNX Momentics 6.3.0 SP3 or 6.3.2 as a self-hosted QNX® Neutrino® system, or on one of the following host OSs:
| Version of QNX Momentics | Microsoft Windows | Linux | Solaris | 
|---|---|---|---|
| 6.3.0 SP3 | Windows Vista, XP SP2, 2000 SP4, or NT SP6a | Linux Red Hat 8 or 9, Red Hat Enterprise WS 3 or 4, Red Hat Fedora Core 3 or 4, Debian 3.1, or SUSE 10 | Sun Solaris 7, 8, 9, or 10 | 
| 6.3.2 | Windows Vista, XP SP2, or 2000 SP4 | Linux Red Hat Enterprise Workstation 4 or 5, Red Hat Fedora Core 6 or 7, Ubuntu 6.0.6 LTS or 7.0.4, or SUSE 10 | Not supported. | 
|  | For the most up-to-date version of these notes, go to our website (www.qnx.com), log into your myQNX account, and then go to the Download area. | 
Contents
Throughout this document, you may see reference numbers associated with particular issues, changes, etc. When corresponding with our Technical Support staff about a given issue, please quote the relevant reference number. You might also find the reference numbers useful for tracking issues as they become fixed.
What's in this patch?
Binaries
This patch contains the full IPv4/v6 TCP/IP stack, npm-tcpip-v6.so.
Installed files
The following files are installed under $QNX_TARGET/ in the subdirectories for the supported targets:
- ARMBE:
- armbe/lib/dll/npm-tcpip-v6.so
 
- ARMLE:
- armle/lib/dll/npm-tcpip-v6.so
 
- MIPSBE:
- mipsbe/lib/dll/npm-tcpip-v6.so
 
- MIPSLE:
- mipsle/lib/dll/npm-tcpip-v6.so
 
- PPCBE:
- ppcbe/lib/dll/npm-tcpip-v6.so
 
- SHLE:
- shle/lib/dll/npm-tcpip-v6.so
 
- x86:
- x86/lib/dll/npm-tcpip-v6.so
 
Fixed issues
We've verified that vulnerability CERT VU#110947 (as described at http://www.kb.cert.org/vuls/id/110947) is present in products that contain the IPv6 version of the TCP/IP network stack. This remote Denial of Service vulnerability allows a remote attacker to use a specially crafted network packet to make the io-net network manager fault (terminate). (Ref# 53744)
The affected binary is npm-tcpip-v6.so and is present in the following products:
- QNX Momentics 6.2x
- QNX Networking Bundle 1.1
- QNX Extended Networking TDK 1.x
- QNX Momentics 6.3.2
If you're using this binary on your system, we strongly recommend that you install this patch. If you're using a custom build, implement the source code fixes described below.
|  | Contact your support representative regarding patches for QNX Momentics 6.2x and QNX Networking Bundle 1.1. | 
The binary npm-tcpip-v4.so isn't affected.
Are you using the affected binary?
To determine if you're using the affected binary, type:
pidin -Pio-net mem
The output of this command will look something like this:
     pid tid name               prio STATE           code  data         stack
353370128   1 sbin/io-net         10r SIGWAITINFO       64K  840K  8192(516K)*
353370128   2 sbin/io-net         21r RECEIVE           64K  840K  4096(132K)
353370128   3 sbin/io-net         10r RECEIVE           64K  840K   4096(68K)
353370128   4 sbin/io-net         10r RECEIVE           64K  840K   4096(68K)
353370128   5 sbin/io-net         21r RECEIVE           64K  840K  4096(132K)
353370128   6 sbin/io-net         21r RECEIVE           64K  840K  4096(132K)
353370128   7 sbin/io-net         21r RECEIVE           64K  840K  4096(132K)
            libc.so.2          @b0300000             360K   12K
            devn-pcnet.so      @b8200000              40K  4096
            npm-tcpip-v6.so    @b820b000             676K   44K
            sbin/io-net        @ 8046000 (       0)        8192
            sbin/io-net        @b035d000 (       0)        4096
Examine the output for the following:
- If npm-tcpip-v6.so is listed, your system is vulnerable.
- If npm-tcpip-v4.so is listed, your system isn't vulnerable.
- If npm-tcpip.so is listed, you need to determine whether
npm-tcpip.so is a symbolic link to
npm-tcpip-v6.so or npm-tcpip-v4.so, as
follows:
ls -l /lib/dll/npm-tcpip.so lrwxrwxrwx 1 root root 24 Jan 24 10:08 /lib/dll/npm-tcpip.so -> /lib/dll/npm-tcpip-v6.so 
Source kits
If you've complied a custom version of the IPv6 TCP/IP stack using the TDK or Networking Bundle, you can apply the following source modification to your custom binaries:
services/net/npm/tcpip-1-5/netinet6/ipcomp_input.c
Index: ipcomp_input.c
===================================================================
--- ipcomp_input.c      (old revision)
+++ ipcomp_input.c      (New copy)
@@ -120,7 +120,7 @@
        }
        md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
-       if (!m) {
+       if (!md) {
                m = NULL;       /* already freed */
                ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed "
                    "(pulldown failure)\n"));
@@ -269,7 +269,7 @@
        off = *offp;
        md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
-       if (!m) {
+       if (!md) {
                m = NULL;       /* already freed */
                ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed "
                    "(pulldown failure)\n"));
Known issues
See the release notes for QNX Momentics 6.3.0 SP3.
Technical support
If you have any questions, comments, or problems with a QNX product, please contact Technical Support. For more information, see the How to Get Help chapter of the Welcome to QNX Momentics guide or visit our website, www.qnx.com.