Prevent TCP blind data attacks by not allowing non-initial fragments to

start at less than 68 bytes (minimal fragment size).

sys/netinet/ip_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.257 2007/12/20 19:53:32 dyoung Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.257 2007/12/20 19:53:32 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.258 2007/12/21 18:58:55 matt Exp $");
 
 #include "opt_inet.h"
 #include "opt_gateway.h"
@@ -896,7 +896,17 @@ ours:
 	 * but it's not worth the time; just let them time out.)
 	 */
 	if (ip->ip_off & ~htons(IP_DF|IP_RF)) {
-
+		uint16_t off;
+		/*
+		 * Prevent TCP blind data attacks by not allowing non-initial
+		 * fragments to start at less than 68 bytes (minimal fragment
+		 * size).
+		 */
+		off = htons(ip->ip_off) & ~(IP_DF|IP_EF|IP_MF);
+		if (off > 0 && off + hlen < IP_MINFRAGSIZE - 1) {
+			ipstat.ips_badfrags++;
+			goto bad;
+		}
 		/*
 		 * Look for queue of fragments
 		 * of this datagram.