On Wed, Jan 23, 2019 at 10:19:41AM +0800, Mao Wenan wrote: > From: Florian Westphal <fw@xxxxxxxxx> > > [ Upstream commit 0ed4229b08c13c84a3c301a08defdc9e7f4467e6 ] > > don't bother with pathological cases, they only waste cycles. > IPv6 requires a minimum MTU of 1280 so we should never see fragments > smaller than this (except last frag). > > v3: don't use awkward "-offset + len" > v2: drop IPv4 part, which added same check w. IPV4_MIN_MTU (68). > There were concerns that there could be even smaller frags > generated by intermediate nodes, e.g. on radio networks. > > Cc: Peter Oskolkov <posk@xxxxxxxxxx> > Cc: Eric Dumazet <edumazet@xxxxxxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > Signed-off-by: Mao Wenan <maowenan@xxxxxxxxxx> > --- > net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++ > net/ipv6/reassembly.c | 4 ++++ > 2 files changed, 8 insertions(+) > > diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c > index 9cd8863..c5033a2 100644 > --- a/net/ipv6/netfilter/nf_conntrack_reasm.c > +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c > @@ -602,6 +602,10 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use > hdr = ipv6_hdr(clone); > fhdr = (struct frag_hdr *)skb_transport_header(clone); > > + if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU && > + fhdr->frag_off & htons(IP6_MF)) > + return -EINVAL; This backport is incorrect, you should be returning a pointer, right? How did you test this? This should have blown up under test :( I'm going to drop this whole series. Please fix it up and test it properly and then resend. thanks, greg k-h
