ip: discard IPv4 datagrams with overlapping segments.

commit 7969e5c40dfd04799d4341f1b7cd266b6e47f227 upstream. This behavior is required in IPv6, and there is little need to tolerate overlapping fragments in IPv4. This change simplifies the code and eliminates potential DDoS attack vectors. Tested: ran ip_defrag selftest (not yet available uptream). Suggested-by: David S. Miller <davem@davemloft.net> Signed-off-by: Peter Oskolkov <posk@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Florian Westphal <fw@strlen.de> Acked-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Mao Wenan <maowenan@huawei.com> [bwh: Backported to 4.4: - s/__IP_INC_STATS/IP_INC_STATS_BH/ - Deleted code is slightly different] Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Peter Oskolkov <posk@google.com> 2018-10-10 12:30:07 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-02-08 11:25:32 +0100
commit: ef0f963de1d2c5bc99d3d6ace3dd44a7d6002717 (patch)
tree: d36a5a3efd2dd687f9a409dc05133f17dd7a314e /include
parent: bf40801a018bbe8f2076fab89f538cc05eb15c03 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
index 25a9ad8bcef1..9de808ebce05 100644
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -55,6 +55,7 @@ enum
 	IPSTATS_MIB_ECT1PKTS,			/* InECT1Pkts */
 	IPSTATS_MIB_ECT0PKTS,			/* InECT0Pkts */
 	IPSTATS_MIB_CEPKTS,			/* InCEPkts */
+	IPSTATS_MIB_REASM_OVERLAPS,		/* ReasmOverlaps */
 	__IPSTATS_MIB_MAX
 };
author	Peter Oskolkov <posk@google.com>	2018-10-10 12:30:07 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-02-08 11:25:32 +0100
commit	ef0f963de1d2c5bc99d3d6ace3dd44a7d6002717 (patch)
tree	d36a5a3efd2dd687f9a409dc05133f17dd7a314e /include
parent	bf40801a018bbe8f2076fab89f538cc05eb15c03 (diff)