Module Name: src Committed By: maxv Date: Thu Jan 25 20:55:15 UTC 2018
Modified Files: src/sys/netinet6: frag6.c Log Message: Kick zero-sized fragments. We can't allow them to enter; two fragments could be put at the same offset. To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.63 src/sys/netinet6/frag6.c:1.64 --- src/sys/netinet6/frag6.c:1.63 Thu Jan 25 15:55:57 2018 +++ src/sys/netinet6/frag6.c Thu Jan 25 20:55:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.63 2018/01/25 15:55:57 maxv Exp $ */ +/* $NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.63 2018/01/25 15:55:57 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -189,13 +189,14 @@ frag6_input(struct mbuf **mp, int *offp, } /* - * check whether fragment packet's fragment length is + * Check whether fragment packet's fragment length is non-zero and * multiple of 8 octets. * sizeof(struct ip6_frag) == 8 * sizeof(struct ip6_hdr) = 40 */ if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && - (((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { + (((ntohs(ip6->ip6_plen) - offset) == 0) || + ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail);