dflybsd_rfc5722_0.diff

logan1, 09/19/2013 05:37 AM

Download (2.29 KB)

View differences:

frag6.c 2013-09-19 04:25:08.000000000 -0700
350 350
		if (af6->ip6af_off > ip6af->ip6af_off)
351 351
			break;
352 352

  
353
#if 0
354 353
	/*
355
	 * If there is a preceding segment, it may provide some of
356
	 * our data already.  If so, drop the data from the incoming
357
	 * segment.  If it provides all of our data, drop us.
354
	 * RFC 5722: Drop overlapping fragments  
358 355
	 */
359 356
	if (af6->ip6af_up != (struct ip6asfrag *)q6) {
360 357
		i = af6->ip6af_up->ip6af_off + af6->ip6af_up->ip6af_frglen
361 358
			- ip6af->ip6af_off;
362 359
		if (i > 0) {
363
			if (i >= ip6af->ip6af_frglen)
364
				goto dropfrag;
365
			m_adj(IP6_REASS_MBUF(ip6af), i);
366
			ip6af->ip6af_off += i;
367
			ip6af->ip6af_frglen -= i;
368
		}
369
	}
370

  
371
	/*
372
	 * While we overlap succeeding segments trim them or,
373
	 * if they are completely covered, dequeue them.
374
	 */
375
	while (af6 != (struct ip6asfrag *)q6 &&
376
	       ip6af->ip6af_off + ip6af->ip6af_frglen > af6->ip6af_off) {
377
		i = (ip6af->ip6af_off + ip6af->ip6af_frglen) - af6->ip6af_off;
378
		if (i < af6->ip6af_frglen) {
379
			af6->ip6af_frglen -= i;
380
			af6->ip6af_off += i;
381
			m_adj(IP6_REASS_MBUF(af6), i);
382
			break;
383
		}
384
		af6 = af6->ip6af_down;
385
		m_freem(IP6_REASS_MBUF(af6->ip6af_up));
386
		frag6_deq(af6->ip6af_up);
387
	}
388
#else
389
	/*
390
	 * If the incoming framgent overlaps some existing fragments in
391
	 * the reassembly queue, drop it, since it is dangerous to override
392
	 * existing fragments from a security point of view.
393
	 */
394
	if (af6->ip6af_up != (struct ip6asfrag *)q6) {
395
		i = af6->ip6af_up->ip6af_off + af6->ip6af_up->ip6af_frglen
396
			- ip6af->ip6af_off;
397
		if (i > 0) {
398
#if 0				/* suppress the noisy log */
399
			log(LOG_ERR, "%d bytes of a fragment from %s "
400
			    "overlaps the previous fragment\n",
401
			    i, ip6_sprintf(&q6->ip6q_src));
402
#endif
403 360
			kfree(ip6af, M_FTABLE);
404 361
			goto dropfrag;
405 362
		}
......
407 364
	if (af6 != (struct ip6asfrag *)q6) {
408 365
		i = (ip6af->ip6af_off + ip6af->ip6af_frglen) - af6->ip6af_off;
409 366
		if (i > 0) {
410
#if 0				/* suppress the noisy log */
411
			log(LOG_ERR, "%d bytes of a fragment from %s "
412
			    "overlaps the succeeding fragment",
413
			    i, ip6_sprintf(&q6->ip6q_src));
414
#endif
415 367
			kfree(ip6af, M_FTABLE);
416 368
			goto dropfrag;
417 369
		}
418 370
	}
419
#endif
420 371

  
421 372
insert:
422 373