There is one CVE: CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack), A fix is a merge commit in the Linux kernel tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c30f1fc041b74ecdb072dd44f858750414b8b19f consisting of the following commits: 7969e5c40dfd04799d4341f1b7cd266b6e47f227 ip: discard IPv4 datagrams with overlapping segments. 385114dec8a49b5e5945e77ba7de6356106713f4 net: modify skb_rbtree_purge to return the truesize of all purged skbs. fa0f527358bd900ef92f925878ed6bfbd51305cc ip: use rb trees for IP frag queue. All above patches are with rb tree to fix this CVE, which is very similar the CVE-2018-5390, that I have backport to stable 4.4 branch in last year. In these patchset, I will backport some patches to fix CVE-2018-5391 with rb tree. v1->v2: in this patch, ipv6: defrag: drop non-last frags smaller than min mtu fix the incorrect return value of nf_ct_frag6_gather. Dan Carpenter (1): ipv4: frags: precedence bug in ip_expire() Eric Dumazet (2): net: speed up skb_rbtree_purge() inet: frags: get rif of inet_frag_evicting() Florian Westphal (1): ipv6: defrag: drop non-last frags smaller than min mtu Michal Kubecek (1): net: ipv4: do not handle duplicate fragments as overlapping Peter Oskolkov (5): ip: discard IPv4 datagrams with overlapping segments. net: modify skb_rbtree_purge to return the truesize of all purged skbs. ip: use rb trees for IP frag queue. ip: add helpers to process in-order fragments faster. ip: process in-order fragments efficiently Taehee Yoo (1): ip: frags: fix crash in ip_do_fragment() include/linux/skbuff.h | 4 +- include/net/inet_frag.h | 12 +- include/uapi/linux/snmp.h | 1 + net/core/skbuff.c | 17 +- net/ipv4/inet_fragment.c | 16 +- net/ipv4/ip_fragment.c | 410 +++++++++++++++++++------------- net/ipv4/proc.c | 1 + net/ipv6/netfilter/nf_conntrack_reasm.c | 6 + net/ipv6/reassembly.c | 9 +- 9 files changed, 292 insertions(+), 184 deletions(-) -- 1.8.3.1
