At 11:57 23/12/04, Carson Gaspar wrote:
There are at least 2 ways to fix this:
- Pass all non-initial IP fragments with an offset > x (where x is sufficiently large to not overwrite the header). Optionally, verify that it is _possible_ for the fragment to be valid (without the protocol/port info, all you have to go on is src IP / dst IP). I believe that Darren already posted a patch that does something like this.
- Buffer fragments until enough information exists to make a pass/drop decision. This is much harder to do correctly, but is worth it in some environments.
Time for a reality check, this is a BAD IDEA !
Having been the victim of a number of TearDrop style attacks, if either of the two first frags doesn't have the IP hdr in it, I'd trash the packets, and maybe only ever accept two anyway.
All this kefuffle is about tunneled IP MTU issues from VPNs and DSL, it's very rarely about ATM or GigE 8K+ frames, so two packets should be enough to carry a 1500 byte ethernet payload.
pjc
