Diffusion FreeBSD src repository - subversion rS337778

Add a global limit on the number of IPv4 fragments.
rS337778
Actions

Description

Add a global limit on the number of IPv4 fragments.

The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
of enough VNETs), it is possible that the sum of all the VNET limits
will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limit is intended (at least in part) to
regulate access to a global resource, the fragment limit should
be applied on a global basis.

VNET-specific limits can be adjusted by modifying the
net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket
sysctls.

To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0.
To disable fragment reassembly for a particular VNET, set
net.inet.ip.maxfragpackets to 0.

Reviewed by: jhb
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

Details

Provenance

jtl	Authored on

Reviewer

jhb

Parents

rS337777: Add definitions related to the L1D flush operation capability and MSR.

Branches

Unknown

Tags

Unknown

Event Timeline

jtl committed rS337778: Add a global limit on the number of IPv4 fragments..Aug 14 2018, 5:19 PM

Changes (1)

Path

Size

head/

sys/

netinet/

ip_reass.c

rS337778

View Options

head/sys/netinet/ip_reass.c