Date: Sat, 16 Jun 2001 16:48:11 -0700 (PDT) From: Jesper Skriver <jesper@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_input.c src/sys/netinet6 frag6.c in6_proto.c Message-ID: <200106162348.f5GNmBJ96604@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
jesper 2001/06/16 16:48:11 PDT
Modified files: (Branch: RELENG_4)
sys/netinet ip_input.c
sys/netinet6 frag6.c in6_proto.c
Log:
MFC
src/sys/netinet/ip_input.c rev 1.169 and 1.170
src/sys/netinet6/frag6.c rev 1.7
src/sys/netinet6/in6_proto.c rev 1.13
Prevent denial of service using bogus fragmented IPv4 packets.
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.
By setting a upper limit on the number of reassembly queues we
prevent this situation.
This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to nmbclusters/4
If you want old behaviour (no upper limit) set this sysctl
to a negative value.
If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero)
Change the default value of net.inet6.ip6.maxfragpackets from
200 to nmbclusters/4 to match the IPv4 case.
Obtained from: NetBSD (partially)
Revision Changes Path
1.130.2.22 +34 -2 src/sys/netinet/ip_input.c
1.2.2.4 +3 -1 src/sys/netinet6/frag6.c
1.6.2.4 +2 -2 src/sys/netinet6/in6_proto.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106162348.f5GNmBJ96604>