From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 24 10:46:18 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAC3C16A4CE for ; Thu, 24 Mar 2005 10:46:18 +0000 (GMT) Received: from relay02.pair.com (relay02.pair.com [209.68.5.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 10A6243D55 for ; Thu, 24 Mar 2005 10:46:18 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 61145 invoked from network); 24 Mar 2005 10:46:16 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 24 Mar 2005 10:46:16 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 24 Mar 2005 04:46:15 -0600 (CST) From: Mike Silbersack To: Maxim Konovalov In-Reply-To: <20050323155414.S99626@mp2.macomnet.net> Message-ID: <20050324043742.C47410@odysseus.silby.com> References: <20050323155414.S99626@mp2.macomnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-hackers@freebsd.org cc: andre@freebsd.org Subject: Re: ip_reass() - possibly incorrect goto X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2005 10:46:18 -0000 On Wed, 23 Mar 2005, Maxim Konovalov wrote: > On Tue, 22 Mar 2005, 12:08-0800, Vijay.Singh@nokia.com wrote: > >> Hi hackers, I am looking at the ip_reass() routine. In case of the >> 1st fragment we create the reassembly queue. After the queue has >> been inserted in the hash bucket, the if () code does a " goto >> inserted". Should this be changed to "goto done" instead? Any code >> that is executed for the 1st fragment, like frag per packet limiting >> and complete reassembly are not valid. Am I mistaken? > > Yep, it seems you are right. The second micro optimization - drop the > fragment early if maxfragsperpacket == 0. > > Andre, Mike, what do you think? Looks good to me. Please tell us if you come up with any more optimizations for the reassembly code, Vijay. On a related note... While looking through the code, I think I figured out a way to avoid IDSes if you're trying to mess with a FreeBSD machine: /* * Handle ECN by comparing this segment with the first one; * if CE is set, do not lose CE. * drop if CE and not-ECT are mixed for the same packet. */ Couldn't you send a fragment with half the "exploit" payload (too short for the IDS to match), then send a packet with a different ECN status to overwrite that fragment (at least in the IDS's buffer, but not in FreeBSD's, since it would be dropped), and then send the second part of the payload? Hmmm... Mike "Silby" Silbersack