diff options
| author | Peter Oskolkov <posk@google.com> | 2018-08-02 19:34:37 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-08-05 20:16:46 -0400 |
| commit | 7969e5c40dfd04799d4341f1b7cd266b6e47f227 (patch) | |
| tree | 167103e66b8f8ebf96bf4ca7644c3e0f7b3bca10 /net/ipv4/proc.c | |
| parent | cfb4099fb4c101dad283a163c9525240ef4a1a99 (diff) | |
ip: discard IPv4 datagrams with overlapping segments.
This behavior is required in IPv6, and there is little need
to tolerate overlapping fragments in IPv4. This change
simplifies the code and eliminates potential DDoS attack vectors.
Tested: ran ip_defrag selftest (not yet available uptream).
Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Peter Oskolkov <posk@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/proc.c')
| -rw-r--r-- | net/ipv4/proc.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index b46e4cf9a55a..70289682a670 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c | |||
| @@ -119,6 +119,7 @@ static const struct snmp_mib snmp4_ipextstats_list[] = { | |||
| 119 | SNMP_MIB_ITEM("InECT1Pkts", IPSTATS_MIB_ECT1PKTS), | 119 | SNMP_MIB_ITEM("InECT1Pkts", IPSTATS_MIB_ECT1PKTS), |
| 120 | SNMP_MIB_ITEM("InECT0Pkts", IPSTATS_MIB_ECT0PKTS), | 120 | SNMP_MIB_ITEM("InECT0Pkts", IPSTATS_MIB_ECT0PKTS), |
| 121 | SNMP_MIB_ITEM("InCEPkts", IPSTATS_MIB_CEPKTS), | 121 | SNMP_MIB_ITEM("InCEPkts", IPSTATS_MIB_CEPKTS), |
| 122 | SNMP_MIB_ITEM("ReasmOverlaps", IPSTATS_MIB_REASM_OVERLAPS), | ||
| 122 | SNMP_MIB_SENTINEL | 123 | SNMP_MIB_SENTINEL |
| 123 | }; | 124 | }; |
| 124 | 125 | ||