Prevent TCP blind data attacks by not allowing non-initial fragments to
start at less than 68 bytes (minimal fragment size).
This commit is contained in:
parent
c48902ebaf
commit
6f23ff186c
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ip_input.c,v 1.257 2007/12/20 19:53:32 dyoung Exp $ */
|
||||
/* $NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
@ -98,7 +98,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.257 2007/12/20 19:53:32 dyoung Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_gateway.h"
|
||||
|
@ -896,7 +896,17 @@ ours:
|
|||
* but it's not worth the time; just let them time out.)
|
||||
*/
|
||||
if (ip->ip_off & ~htons(IP_DF|IP_RF)) {
|
||||
|
||||
uint16_t off;
|
||||
/*
|
||||
* Prevent TCP blind data attacks by not allowing non-initial
|
||||
* fragments to start at less than 68 bytes (minimal fragment
|
||||
* size).
|
||||
*/
|
||||
off = htons(ip->ip_off) & ~(IP_DF|IP_EF|IP_MF);
|
||||
if (off > 0 && off + hlen < IP_MINFRAGSIZE - 1) {
|
||||
ipstat.ips_badfrags++;
|
||||
goto bad;
|
||||
}
|
||||
/*
|
||||
* Look for queue of fragments
|
||||
* of this datagram.
|
||||
|
|
Loading…
Reference in New Issue