diff options
author | Darrell Ball <dlu998@gmail.com> | 2019-02-20 08:17:16 -0800 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2019-02-22 14:08:36 -0800 |
commit | 9b5136c3ded301e6a14b3b14d839b91c1ecbe31c (patch) | |
tree | fe126a1f059e4aff2ac2c84fc41782a163a727cd /lib | |
parent | e53213365aa4ba553ca141a99b4c23a45ce15317 (diff) | |
download | openvswitch-9b5136c3ded301e6a14b3b14d839b91c1ecbe31c.tar.gz |
ipf: Check minimum fragment against L3 size.
Fixes: 4ea96698f667 ("Userspace datapath: Add fragmentation handling.")
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/dpctl.man | 2 | ||||
-rw-r--r-- | lib/ipf.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/lib/dpctl.man b/lib/dpctl.man index f22029fcd..1ff351170 100644 --- a/lib/dpctl.man +++ b/lib/dpctl.man @@ -230,7 +230,7 @@ supported for the userspace datapath. . .TP \*(DX\fBipf\-set\-min\-frag\fR [\fIdp\fR] \fBv4\fR|\fBv6\fR \fIminfrag\fR -Sets the minimum fragment size for non-final fragments to +Sets the minimum fragment size (L3 header and data) for non-final fragments to \fIminfrag\fR. Either \fBv4\fR or \fBv6\fR must be specified. For enhanced DOS security, higher minimum fragment sizes can usually be used. The default IPv4 value is 1200 and the clamped minimum is 400. The default @@ -613,7 +613,7 @@ ipf_is_valid_v4_frag(struct ipf *ipf, struct dp_packet *pkt) uint32_t min_v4_frag_size_; atomic_read_relaxed(&ipf->min_v4_frag_size, &min_v4_frag_size_); bool lf = ipf_is_last_v4_frag(pkt); - if (OVS_UNLIKELY(!lf && dp_packet_size(pkt) < min_v4_frag_size_)) { + if (OVS_UNLIKELY(!lf && dp_packet_l3_size(pkt) < min_v4_frag_size_)) { ipf_count(ipf, false, IPF_NFRAGS_TOO_SMALL); goto invalid_pkt; } @@ -693,7 +693,7 @@ ipf_is_valid_v6_frag(struct ipf *ipf, struct dp_packet *pkt) atomic_read_relaxed(&ipf->min_v6_frag_size, &min_v6_frag_size_); bool lf = ipf_is_last_v6_frag(ip6f_offlg); - if (OVS_UNLIKELY(!lf && dp_packet_size(pkt) < min_v6_frag_size_)) { + if (OVS_UNLIKELY(!lf && dp_packet_l3_size(pkt) < min_v6_frag_size_)) { ipf_count(ipf, true, IPF_NFRAGS_TOO_SMALL); goto invalid_pkt; } |