diff options
author | Anand Kumar <kumaranand@vmware.com> | 2018-03-06 15:48:08 -0800 |
---|---|---|
committer | Alin Gabriel Serdean <aserdean@ovn.org> | 2018-03-08 02:36:59 +0200 |
commit | 7954d04a898c040e0e4e2f21b38b0a3b03f68190 (patch) | |
tree | ef8dfda21409212117c0ced259092fffc7f54002 /datapath-windows | |
parent | efd715056a811d8e0866d42a91d13f564d7d5b3f (diff) | |
download | openvswitch-7954d04a898c040e0e4e2f21b38b0a3b03f68190.tar.gz |
datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE
Previously ipfragment module would drop any fragments less than
MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
vulnerability CVE-2000-0305. This check is incorrect, since minimum size
of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
guranted to be malformed or illegal.
To guard against security vulnerability CVE-2000-0305, for a given ip
datagram, ipfragments should be dropped only when number of smallest
fragments recieved reaches a certain threshold.
Signed-off-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
Diffstat (limited to 'datapath-windows')
-rw-r--r-- | datapath-windows/ovsext/IpFragment.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/datapath-windows/ovsext/IpFragment.c b/datapath-windows/ovsext/IpFragment.c index 3d5277ac4..d59d7cf96 100644 --- a/datapath-windows/ovsext/IpFragment.c +++ b/datapath-windows/ovsext/IpFragment.c @@ -25,10 +25,10 @@ #undef OVS_DBG_MOD #endif #define OVS_DBG_MOD OVS_DBG_IPFRAG -/* Based on MIN_FRAGMENT_SIZE.*/ -#define MAX_FRAGMENTS 164 + #define MIN_FRAGMENT_SIZE 400 #define MAX_IPDATAGRAM_SIZE 65535 +#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1 /* Function declarations */ static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext, offset = ntohs(ipHdr->frag_off) & IP_OFFSET; offset <<= 3; flags = ntohs(ipHdr->frag_off) & IP_MF; - /* Only the last fragment can be of smaller size.*/ - if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) { - return NDIS_STATUS_INVALID_LENGTH; - } + /*Copy fragment specific fields. */ fragKey.protocol = ipHdr->protocol; fragKey.id = ipHdr->id; |