[ovs-git] [openvswitch/ovs] 7954d0: datapath-windows: Do not drop Ip fragments less th...

GitHub noreply at github.com
Thu Mar 8 00:42:19 UTC 2018


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 7954d04a898c040e0e4e2f21b38b0a3b03f68190
      https://github.com/openvswitch/ovs/commit/7954d04a898c040e0e4e2f21b38b0a3b03f68190
  Author: Anand Kumar <kumaranand at vmware.com>
  Date:   2018-03-08 (Thu, 08 Mar 2018)

  Changed paths:
    M datapath-windows/ovsext/IpFragment.c

  Log Message:
  -----------
  datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE

Previously ipfragment module would drop any fragments less than
MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
vulnerability CVE-2000-0305. This check is incorrect, since minimum size
of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
guranted to be malformed or illegal.

To guard against security vulnerability CVE-2000-0305, for a given ip
datagram, ipfragments should be dropped only when number of smallest
fragments recieved reaches a certain threshold.

Signed-off-by: Anand Kumar <kumaranand at vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean at ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean at ovn.org>




More information about the git mailing list