Date: Mon, 19 Aug 1996 23:14:21 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: imp@village.org (Warner Losh) Cc: phk@critter.tfs.com, hackers@freebsd.org Subject: Re: Which fragments to discard (was Re: ipfw vs ipfilter) Message-ID: <199608191314.GAA14120@freefall.freebsd.org> In-Reply-To: <199608182248.QAA01272@rover.village.org> from "Warner Losh" at Aug 18, 96 04:48:37 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Warner Losh, sie said: > > Poul-Henning Kamp writes: > : This is a common mistake, only offset==1 needs to be discarded. > > Hmmm, since there are no comments in ip_fw.c as to why only offset 1 > is a problem, I'll have to ask here. Why is that? Although the RFC deals with this (1858), the fragment offset should be considered bad whenever the next header (UDP/TCP/ICMP) is split. There was discussion about whether 0 < FO < 7 was generally bad but it was not felt to be a risk. "68", whilst seemingly magic, is only enough for 4 bytes of data, in the worst case. Note, that if FO=0 it should be possible (if > 0 data bytes) to at least check the ports and if they're no checks being performed on flags, whether or not they're there is irrelevant. IP Filter has the idea of a "short" packet being a packet which has fragment offset = 0 and has an incomplete header or the fragment offset points to a region inside the header. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608191314.GAA14120>