reassembly: prevent long chain attack
limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime
Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
diff --git a/src/vnet/ip/ip_api.c b/src/vnet/ip/ip_api.c
index ce3456d..5a6053d 100644
--- a/src/vnet/ip/ip_api.c
+++ b/src/vnet/ip/ip_api.c
@@ -3328,12 +3328,14 @@
{
rv = ip6_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
clib_net_to_host_u32 (mp->max_reassemblies),
+ clib_net_to_host_u32 (mp->max_reassembly_length),
clib_net_to_host_u32 (mp->expire_walk_interval_ms));
}
else
{
rv = ip4_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
clib_net_to_host_u32 (mp->max_reassemblies),
+ clib_net_to_host_u32 (mp->max_reassembly_length),
clib_net_to_host_u32 (mp->expire_walk_interval_ms));
}
@@ -3364,6 +3366,7 @@
{
rmp->is_ip6 = 0;
ip4_reass_get (&rmp->timeout_ms, &rmp->max_reassemblies,
+ &rmp->max_reassembly_length,
&rmp->expire_walk_interval_ms);
}
rmp->timeout_ms = clib_host_to_net_u32 (rmp->timeout_ms);