ip: discard IPv4 datagrams with overlapping segments.
authorPeter Oskolkov <posk@google.com>
Thu, 13 Sep 2018 14:58:52 +0000 (07:58 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 19 Sep 2018 20:43:47 +0000 (22:43 +0200)
commit1c44969111cc68f361638b6e54f5a176609aa05a
treec060cfc84c3936fa8ab49f9fa8d485ef42c25e37
parent5fff99e88a1f4b4e62fd07bf3eb87305c88f3400
ip: discard IPv4 datagrams with overlapping segments.

This behavior is required in IPv6, and there is little need
to tolerate overlapping fragments in IPv4. This change
simplifies the code and eliminates potential DDoS attack vectors.

Tested: ran ip_defrag selftest (not yet available uptream).

Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Peter Oskolkov <posk@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 7969e5c40dfd04799d4341f1b7cd266b6e47f227)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
include/uapi/linux/snmp.h
net/ipv4/ip_fragment.c
net/ipv4/proc.c