ipv6: drop fragmented ndisc packets by default (RFC 6980)

This patch implements RFC6980: Drop fragmented ndisc packets by default. If a fragmented ndisc packet is received the user is informed that it is possible to disable the check. Cc: Fernando Gont <fernando@gont.com.ar> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Hannes Frederic Sowa <hannes@stressinduktion.org> 2013-08-26 19:36:51 -0400
committer: David S. Miller <davem@davemloft.net> 2013-08-29 15:32:08 -0400
commit: b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree: e10eef87a5dc18bc16745adde12dae6ff104240b /net/ipv6/ndisc.c
parent: a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 04d31c2fbef1..41720feeaa64 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1519,10 +1519,27 @@ static void pndisc_redo(struct sk_buff *skb)
        kfree_skb(skb);
 }
+static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
+{
+        struct inet6_dev *idev = __in6_dev_get(skb->dev);
+        if (!idev)
+                return true;
+        if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
+            idev->cnf.suppress_frag_ndisc) {
+                net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
+                return true;
+        }
+        return false;
+}
 int ndisc_rcv(struct sk_buff *skb)
 {
        struct nd_msg *msg;
+        if (ndisc_suppress_frag_ndisc(skb))
+                return 0;
        if (skb_linearize(skb))
                return 0;
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2013-08-26 19:36:51 -0400
committer	David S. Miller <davem@davemloft.net>	2013-08-29 15:32:08 -0400
commit	b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree	e10eef87a5dc18bc16745adde12dae6ff104240b /net/ipv6/ndisc.c
parent	a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 04d31c2fbef1..41720feeaa64 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c
@@ -1519,10 +1519,27 @@ static void pndisc_redo(struct sk_buff *skb)
1519	kfree_skb(skb);	1519	kfree_skb(skb);
1520	}	1520	}
1521		1521
		1522	static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
		1523	{
		1524	struct inet6_dev *idev = __in6_dev_get(skb->dev);
		1525
		1526	if (!idev)
		1527	return true;
		1528	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
		1529	idev->cnf.suppress_frag_ndisc) {
		1530	net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
		1531	return true;
		1532	}
		1533	return false;
		1534	}
		1535
1522	int ndisc_rcv(struct sk_buff *skb)	1536	int ndisc_rcv(struct sk_buff *skb)
1523	{	1537	{
1524	struct nd_msg *msg;	1538	struct nd_msg *msg;
1525		1539
		1540	if (ndisc_suppress_frag_ndisc(skb))
		1541	return 0;
		1542
1526	if (skb_linearize(skb))	1543	if (skb_linearize(skb))
1527	return 0;	1544	return 0;
1528		1545