On Thu, Apr 04, 2019 at 06:18:30PM -0600, Captain Wiggum wrote: > Hi Greg, > > A previous bad patch breaks 18 test cases for IPv6 fragment headers. > This has already been un-done in upstream, but not in any of the LTS. > However two upstream patches are first needed to cover a DoS vulnerability. > > For background, there are two mail threads in [netdev] on this subject: > 1) Subject: TAHI testing fails for IPv6 Fragments in Kernel 4.9 (from > captwiggum) > 2) Subject: Please merge IPv6 fix for drop fragment smaller than MTU > (from captwiggum) > > Two patches from upstream needed first to cover the DoS: > > commit d4289fcc9b16b89619ee1c54f829e05e56de8b9a > net: IP6 defrag: use rbtrees for IPv6 defrag > > commit 997dd96471641e147cb2c33ad54284000d0f5e35 > net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c > > One undo-patch to fix the IPv6 fragment headers: > > ipv6: defrag: drop non-last frags smaller than min mtu > UN-DO: commit a8444b1ccb20339774af58e40ad42296074fb484 For what kernel version(s) do these patches need to be applied? thanks, greg k-h
