Sasha Levin <sashal@xxxxxxxxxx> wrote:
> > > > Two patches from upstream needed first to cover the DoS:
> > > >
> > > > commit d4289fcc9b16b89619ee1c54f829e05e56de8b9a
> > > > net: IP6 defrag: use rbtrees for IPv6 defrag
> > > >
> > > > commit 997dd96471641e147cb2c33ad54284000d0f5e35
> > > > net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
[..]
> I see that 0ed4229b08c1 ("ipv6: defrag: drop non-last frags smaller than
> min mtu") wasn't reverted upstream, why is a revert needed on the stable
> trees?
As I already mentioned, reverting it brings back the DoS problem.
The "drop < minmtu" restriction is removed in the two rbtree conversion
patches quoted above.
