| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180802170935.7ff9e4cb@xeon-e3>
Date: Thu, 2 Aug 2018 17:09:35 -0700
From: Stephen Hemminger <stephen@...workplumber.org>
To: Peter Oskolkov <posk@...gle.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
Eric Dumazet <edumazet@...gle.com>,
Florian Westphal <fw@...len.de>
Subject: Re: [PATCH v2 net-next 1/3] ip: discard IPv4 datagrams with
overlapping segments.
On Thu, 2 Aug 2018 23:34:37 +0000
Peter Oskolkov <posk@...gle.com> wrote:
> This behavior is required in IPv6, and there is little need
> to tolerate overlapping fragments in IPv4. This change
> simplifies the code and eliminates potential DDoS attack vectors.
>
> Tested: ran ip_defrag selftest (not yet available uptream).
>
> Suggested-by: David S. Miller <davem@...emloft.net>
> Signed-off-by: Peter Oskolkov <posk@...gle.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Florian Westphal <fw@...len.de>
There are a couple of relevant RFC's
RFC 1858 - Security Considerations for IP Fragment Filtering
RFC 2460 - Handling of Overlapping IPv6 Fragments
Acked-by: Stephen Hemminger <stephen@...workplumber.org>
Powered by blists - more mailing lists