Page MenuHomeFreeBSD
Files F108155182

D16850.diff
No OneTemporary
Actions

D16850.diff
View Options

Index: sys/netinet6/frag6.c
===================================================================
--- sys/netinet6/frag6.c
+++ sys/netinet6/frag6.c
@@ -494,57 +494,13 @@
if (af6->ip6af_off > ip6af->ip6af_off)
break;
-#if 0
- /*
- * If there is a preceding segment, it may provide some of
- * our data already. If so, drop the data from the incoming
- * segment. If it provides all of our data, drop us.
- */
- if (af6 != NULL)
- af6tmp = TAILQ_PREV(af6, ip6fraghead, ip6af_tq);
- else
- af6tmp = TAILQ_LAST(&q6->ip6q_frags, ip6fraghead);
- if (af6tmp != NULL) {
- i = af6tmp->ip6af_off + af6tmp->ip6af_frglen
- - ip6af->ip6af_off;
- if (i > 0) {
- if (i >= ip6af->ip6af_frglen)
- goto dropfrag;
- m_adj(IP6_REASS_MBUF(ip6af), i);
- ip6af->ip6af_off += i;
- ip6af->ip6af_frglen -= i;
- }
- }
-
- /*
- * While we overlap succeeding segments trim them or,
- * if they are completely covered, dequeue them.
- */
- while (af6 != NULL) {
- i = (ip6af->ip6af_off + ip6af->ip6af_frglen) - af6->ip6af_off;
- if (i <= 0)
- break;
- if (i < af6->ip6af_frglen) {
- af6->ip6af_frglen -= i;
- af6->ip6af_off += i;
- m_adj(IP6_REASS_MBUF(af6), i);
- break;
- }
- af6tmp = TAILQ_NEXT(af6, ip6af_tq);
- m_freem(IP6_REASS_MBUF(af6));
- TAILQ_REMOVE(&q6->ip6q_frags, af6, ip6af_tq);
- af6 = af6tmp;
- }
-#else
/*
* If the incoming framgent overlaps some existing fragments in
- * the reassembly queue, drop it, since it is dangerous to override
- * existing fragments from a security point of view.
- * We don't know which fragment is the bad guy - here we trust
- * fragment that came in earlier, with no real reason.
- *
- * Note: due to changes after disabling this part, mbuf passed to
- * m_adj() below now does not meet the requirement.
+ * the reassembly queue, drop both the new fragment and the
+ * entire reassembly queue. However, if the new fragment
+ * is an exact duplicate of an existing fragment, only silently
+ * drop the existing fragment and leave the fragmentation queue
+ * unchanged, as allowed by the RFC. (RFC 8200, 4.5)
*/
if (af6 != NULL)
af6tmp = TAILQ_PREV(af6, ip6fraghead, ip6af_tq);
@@ -560,6 +516,9 @@
i, ip6_sprintf(ip6buf, &q6->ip6q_src));
#endif
free(ip6af, M_FTABLE);
+ if (af6tmp->ip6af_off != ip6af->ip6af_off ||
+ af6tmp->ip6af_frglen != ip6af->ip6af_frglen)
+ frag6_freef(q6, hash);
goto dropfrag;
}
}
@@ -572,10 +531,12 @@
i, ip6_sprintf(ip6buf, &q6->ip6q_src));
#endif
free(ip6af, M_FTABLE);
+ if (af6->ip6af_off != ip6af->ip6af_off ||
+ af6->ip6af_frglen != ip6af->ip6af_frglen)
+ frag6_freef(q6, hash);
goto dropfrag;
}
}
-#endif
insert:
#ifdef MAC

File Metadata

Mime Type
text/plain
Expires
Wed, Jan 22, 11:21 PM (16 h, 19 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16042833
Default Alt Text
D16850.diff (2 KB)

Event Timeline