Implement handling of "atomic fragements" as outlined in

draft-gont-6man-ipv6-atomic-fragments to mitigate one class of possible fragmentation-based attacks. MFC after: 5 days
svn path=/head/; revision=238248
2012-07-08 15:30:24 +00:00 · 2012-07-08 15:30:24 +00:00 · 4018ea9a2b · 2020-12-20 02:59:44 +00:00
commit 4018ea9a2b
parent 029468d82c
1 changed files with 13 additions and 0 deletions
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@ -221,6 +221,19 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	/* offset now points to data portion */
 	offset += sizeof(struct ip6_frag);

+	/*
+	 * XXX-BZ RFC XXXX (draft-gont-6man-ipv6-atomic-fragments)
+	 * Handle "atomic" fragments (offset and m bit set to 0) upfront,
+	 * unrelated to any reassembly.  Just skip the fragment header.
+	 */
+	if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) {
+		/* XXX-BZ we want dedicated counters for this. */
+		V_ip6stat.ip6s_reassembled++;
+		in6_ifstat_inc(dstifp, ifs6_reass_ok);
+		*offp = offset;
+		return (ip6f->ip6f_nxt);
+	}
+
 	IP6Q_LOCK();

 	/*