freebsd-nq/sys
Kristof Provost d47023236c pf: Limit the maximum number of fragments per packet
Similar to the network stack issue fixed in r337782 pf did not limit the number
of fragments per packet, which could be exploited to generate high CPU loads
with a crafted series of packets.

Limit each packet to no more than 64 fragments. This should be sufficient on
typical networks to allow maximum-sized IP frames.

This addresses the issue for both IPv4 and IPv6.

MFC after:	3 days
Security:	CVE-2018-5391
Sponsored by:	Klara Systems
2018-08-17 15:00:10 +00:00
..
amd64 GPT is standard in x86 and arm64 land. Add it to DEFAULTS with the 2018-08-17 14:47:21 +00:00
arm arm: Define crypto option on platforms that include IPsec 2018-08-17 01:04:02 +00:00
arm64 GPT is standard in x86 and arm64 land. Add it to DEFAULTS with the 2018-08-17 14:47:21 +00:00
bsm
cam Flesh out a comment about what we're doing with read bias and trims. 2018-08-15 00:15:40 +00:00
cddl Make vfs.zfs.zio.dva_throttle_enabled sysctl writable. 2018-08-16 18:44:50 +00:00
compat Revert r337922, except for some documention-only bits. This needs to wait 2018-08-16 19:09:43 +00:00
conf random: Add PowerPC 'darn' instruction entropy source 2018-08-17 03:49:07 +00:00
contrib Bring in libsodium to sys/contrib 2018-08-17 00:23:50 +00:00
crypto Bring in compatibility glue for libsodium 2018-08-17 00:27:56 +00:00
ddb add an option for ddb ps command to print process arguments 2018-08-09 11:21:31 +00:00
dev random: Add PowerPC 'darn' instruction entropy source 2018-08-17 03:49:07 +00:00
dts Remove Atmel AT91RM9200 and AT91SAM9 support. 2018-07-27 18:28:22 +00:00
fs Don't set a file's size for the MDS file of a pNFS service. 2018-08-17 12:32:38 +00:00
gdb
geom OpenCrypto: Convert sessions to opaque handles instead of integers 2018-07-18 00:56:25 +00:00
gnu Import DTS files from Linux 4.18 2018-08-13 06:40:20 +00:00
i386 GPT is standard in x86 and arm64 land. Add it to DEFAULTS with the 2018-08-17 14:47:21 +00:00
isa
kern capsicum: allow the setproctitle(3) function in capability mode 2018-08-17 14:35:10 +00:00
kgssapi OpenCrypto: Convert sessions to opaque handles instead of integers 2018-07-18 00:56:25 +00:00
libkern Sync strlcpy with userland version, again 2018-06-21 17:35:13 +00:00
mips Query MVPConf0.PVPE for number of CPUs. 2018-08-14 16:29:10 +00:00
modules Add xform-conforming auth_hash wrapper for Poly-1305 2018-08-17 00:30:04 +00:00
net if_vlan(4): A VLAN always has a PCP and its ifnet's if_pcp should be set 2018-08-17 01:03:23 +00:00
net80211 Fix misspellings of transmitter/transmitted 2018-08-10 20:37:32 +00:00
netgraph The interface name must be sanitized before the search to match the existing 2018-08-15 13:42:22 +00:00
netinet Add the ability to look up the 3b PCP of a VLAN interface. Use it in 2018-08-16 23:46:38 +00:00
netinet6 Properly initialize IP version in IPv6 header. This was missed in r334673. 2018-08-16 09:19:06 +00:00
netipsec Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
netpfil pf: Limit the maximum number of fragments per packet 2018-08-17 15:00:10 +00:00
netsmb Make timespecadd(3) and friends public 2018-07-30 15:46:40 +00:00
nfs Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
nfsclient
nfsserver
nlm
ofed Only NULL check the VNET pointer when VIMAGE is enabled in ibcore. 2018-07-31 11:23:44 +00:00
opencrypto cryptosoft: Reduce generality of supported algorithm composition 2018-08-17 04:40:01 +00:00
powerpc powerpc: Add lwsync and ptesync 'sync' opcode variants to ddb disassembler 2018-08-10 03:28:40 +00:00
riscv Riscv: Include crypto for IPSec 2018-08-17 01:08:22 +00:00
rpc Set SO_SNDTIMEO in the client side krpc when CLSET_TIMEOUT is done. 2018-07-20 12:03:16 +00:00
security Require that MAC label buffers be able to store a non-empty string. 2018-08-01 03:46:07 +00:00
sparc64 Add pmap_is_valid_memattr(9). 2018-08-01 18:45:51 +00:00
sys random: Add PowerPC 'darn' instruction entropy source 2018-08-17 03:49:07 +00:00
teken teken: Fix sequences header which was crossing the 80-col boundary 2018-05-29 08:41:44 +00:00
tests epoch_test: fix compile 2018-07-15 00:31:17 +00:00
tools
ufs Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating 2018-08-16 18:40:16 +00:00
vm Prevent some parallel swap-ins, rate-limit swapper swap-ins. 2018-08-13 16:48:46 +00:00
x86 Help ensure that the copy loop doesn't get converted to a memcpy() call. 2018-08-14 19:21:31 +00:00
xdr
xen xen: add missing file from r336474 2018-07-19 10:14:52 +00:00
Makefile