On Thu, Apr 04, 2019 at 06:18:30PM -0600, Captain Wiggum wrote:
Hi Greg,
A previous bad patch breaks 18 test cases for IPv6 fragment headers. This has already been un-done in upstream, but not in any of the LTS. However two upstream patches are first needed to cover a DoS vulnerability.
For background, there are two mail threads in [netdev] on this subject:
- Subject: TAHI testing fails for IPv6 Fragments in Kernel 4.9 (from
captwiggum) 2) Subject: Please merge IPv6 fix for drop fragment smaller than MTU (from captwiggum)
Two patches from upstream needed first to cover the DoS:
commit d4289fcc9b16b89619ee1c54f829e05e56de8b9a net: IP6 defrag: use rbtrees for IPv6 defrag
commit 997dd96471641e147cb2c33ad54284000d0f5e35 net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
One undo-patch to fix the IPv6 fragment headers:
ipv6: defrag: drop non-last frags smaller than min mtu UN-DO: commit a8444b1ccb20339774af58e40ad42296074fb484
For what kernel version(s) do these patches need to be applied?
thanks,
greg k-h