FreeBSD Mail Archives

Date:      Tue, 13 Nov 2018 17:25:35 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r340397 - stable/12/sys/netinet
Message-ID:  <201811131725.wADHPZEm091982@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: markj
Date: Tue Nov 13 17:25:34 2018
New Revision: 340397
URL: https://svnweb.freebsd.org/changeset/base/340397

Log:
  MFC r340313:
  Ensure that IP fragments do not extend beyond IP_MAXPACKET.
  
  Approved by:	re (gjb)

Modified:
  stable/12/sys/netinet/ip_reass.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netinet/ip_reass.c
==============================================================================
--- stable/12/sys/netinet/ip_reass.c	Tue Nov 13 16:51:30 2018	(r340396)
+++ stable/12/sys/netinet/ip_reass.c	Tue Nov 13 17:25:34 2018	(r340397)
@@ -228,6 +228,16 @@ ip_reass(struct mbuf *m)
 	ip->ip_off = htons(ntohs(ip->ip_off) << 3);
 
 	/*
+	 * Make sure the fragment lies within a packet of valid size.
+	 */
+	if (ntohs(ip->ip_len) + ntohs(ip->ip_off) > IP_MAXPACKET) {
+		IPSTAT_INC(ips_toolong);
+		IPSTAT_INC(ips_fragdropped);
+		m_freem(m);
+		return (NULL);
+	}
+
+	/*
 	 * Attempt reassembly; if it succeeds, proceed.
 	 * ip_reass() will return a different mbuf.
 	 */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811131725.wADHPZEm091982>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation