| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180829.194958.139685537797704906.davem@davemloft.net> Date: Wed, 29 Aug 2018 19:49:58 -0700 (PDT) From: David Miller <davem@...emloft.net> To: posk@...gle.com Cc: netdev@...r.kernel.org Subject: Re: [PATCH net-next 1/2] ip: fail fast on IP defrag errors From: Peter Oskolkov <posk@...gle.com> Date: Tue, 28 Aug 2018 11:36:19 -0700 > The current behavior of IP defragmentation is inconsistent: > - some overlapping/wrong length fragments are dropped without > affecting the queue; > - most overlapping fragments cause the whole frag queue to be dropped. > > This patch brings consistency: if a bad fragment is detected, > the whole frag queue is dropped. Two major benefits: > - fail fast: corrupted frag queues are cleared immediately, instead of > by timeout; > - testing of overlapping fragments is now much easier: any kind of > random fragment length mutation now leads to the frag queue being > discarded (IP packet dropped); before this patch, some overlaps were > "corrected", with tests not seeing expected packet drops. > > Note that in one case (see "if (end&7)" conditional) the current > behavior is preserved as there are concerns that this could be > legitimate padding. > > Signed-off-by: Peter Oskolkov <posk@...gle.com> > Reviewed-by: Eric Dumazet <edumazet@...gle.com> > Reviewed-by: Willem de Bruijn <willemb@...gle.com> Applied.
Powered by blists - more mailing lists