Author: bz Date: Thu Oct 24 20:22:52 2019 New Revision: 354046 URL: https://svnweb.freebsd.org/changeset/base/354046
Log: frag6: handling of overlapping fragments to conform to RFC 8200 While the comment was updated in r350746, the code was not. RFC8200 says that unless fragment overlaps are exact (same fragment twice) not only the current fragment but the entire reassembly queue for this packet must be silently discarded, which we now do if fragment offset and fragment length do not match. Obtained from: jtl MFC after: 3 weeks Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D16850 Modified: head/sys/netinet6/frag6.c Modified: head/sys/netinet6/frag6.c ============================================================================== --- head/sys/netinet6/frag6.c Thu Oct 24 20:08:33 2019 (r354045) +++ head/sys/netinet6/frag6.c Thu Oct 24 20:22:52 2019 (r354046) @@ -712,6 +712,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto) if (af6tmp != NULL) { if (af6tmp->ip6af_off + af6tmp->ip6af_frglen - ip6af->ip6af_off > 0) { + if (af6tmp->ip6af_off != ip6af->ip6af_off || + af6tmp->ip6af_frglen != ip6af->ip6af_frglen) + frag6_freef(q6, bucket); free(ip6af, M_FRAG6); goto dropfrag; } @@ -719,6 +722,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto) if (af6 != NULL) { if (ip6af->ip6af_off + ip6af->ip6af_frglen - af6->ip6af_off > 0) { + if (af6->ip6af_off != ip6af->ip6af_off || + af6->ip6af_frglen != ip6af->ip6af_frglen) + frag6_freef(q6, bucket); free(ip6af, M_FRAG6); goto dropfrag; } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"