From 7954d04a898c040e0e4e2f21b38b0a3b03f68190 Mon Sep 17 00:00:00 2001 From: Anand Kumar Date: Tue, 6 Mar 2018 15:48:08 -0800 Subject: datapath-windows: Do not drop Ip fragments less than MIN_FRAGMENT_SIZE Previously ipfragment module would drop any fragments less than MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the vulnerability CVE-2000-0305. This check is incorrect, since minimum size of the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not guranted to be malformed or illegal. To guard against security vulnerability CVE-2000-0305, for a given ip datagram, ipfragments should be dropped only when number of smallest fragments recieved reaches a certain threshold. Signed-off-by: Anand Kumar Acked-by: Alin Gabriel Serdean Signed-off-by: Alin Gabriel Serdean --- datapath-windows/ovsext/IpFragment.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'datapath-windows') diff --git a/datapath-windows/ovsext/IpFragment.c b/datapath-windows/ovsext/IpFragment.c index 3d5277ac4..d59d7cf96 100644 --- a/datapath-windows/ovsext/IpFragment.c +++ b/datapath-windows/ovsext/IpFragment.c @@ -25,10 +25,10 @@ #undef OVS_DBG_MOD #endif #define OVS_DBG_MOD OVS_DBG_IPFRAG -/* Based on MIN_FRAGMENT_SIZE.*/ -#define MAX_FRAGMENTS 164 + #define MIN_FRAGMENT_SIZE 400 #define MAX_IPDATAGRAM_SIZE 65535 +#define MAX_FRAGMENTS MAX_IPDATAGRAM_SIZE/MIN_FRAGMENT_SIZE + 1 /* Function declarations */ static KSTART_ROUTINE OvsIpFragmentEntryCleaner; @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT switchContext, offset = ntohs(ipHdr->frag_off) & IP_OFFSET; offset <<= 3; flags = ntohs(ipHdr->frag_off) & IP_MF; - /* Only the last fragment can be of smaller size.*/ - if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) { - return NDIS_STATUS_INVALID_LENGTH; - } + /*Copy fragment specific fields. */ fragKey.protocol = ipHdr->protocol; fragKey.id = ipHdr->id; -- cgit v1.2.1