It's possible to request very large messages using the current code base. F.ex. UDP datagrams with the tftp client. The tftp servers will happily reply with fragmented IP frames. All these frame parts need to be dropped as BB currently doesn't do fragment reassembly. The current check was for fragment offsets only (0x1fff). But the first frame has fragment offset 0 and would slip through this check. That could result in a seemingly OK frame for the tftp client, but with broken data. Add check for the MF (More Fragments) flag. Should cover the first packet too. Signed-off-by: Christian Melki <christian.melki@xxxxxxxxxx> --- net/net.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/net.c b/net/net.c index 19161d2e82..b842041d59 100644 --- a/net/net.c +++ b/net/net.c @@ -678,7 +678,12 @@ static int net_handle_ip(struct eth_device *edev, unsigned char *pkt, int len) if ((ip->hl_v & 0xf0) != 0x40) goto bad; - if (ip->frag_off & htons(0x1fff)) /* Can't deal w/ fragments */ + /* Can't deal w/ fragments. + * Ether a fragment offset (13 bits), or + * MF (More Fragments) from frag. flags (3 bits). + * MF - because first fragment has fragment offset 0 + */ + if (ip->frag_off & htons(0x3fff)) goto bad; if (!net_checksum_ok((unsigned char *)ip, sizeof(struct iphdr))) goto bad; -- 2.34.1
