6 Apr
2019
6 Apr
'19
4:34 p.m.
Sasha Levin sashal@kernel.org wrote:
Two patches from upstream needed first to cover the DoS:
commit d4289fcc9b16b89619ee1c54f829e05e56de8b9a net: IP6 defrag: use rbtrees for IPv6 defrag
commit 997dd96471641e147cb2c33ad54284000d0f5e35 net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
[..]
I see that 0ed4229b08c1 ("ipv6: defrag: drop non-last frags smaller than min mtu") wasn't reverted upstream, why is a revert needed on the stable trees?
As I already mentioned, reverting it brings back the DoS problem. The "drop < minmtu" restriction is removed in the two rbtree conversion patches quoted above.