Thanks for the review. 

MIN_FRAGMENT_SIZE is used to determine maximum number of fragments that are 
allowed for an IP datagram. 
I will update the macro MAX_FRAGMENTS to compute the value based on 

Anand Kumar

On 3/6/18, 5:43 AM, "" <> wrote:

    I guess you can also remove the define
    since it is not used anywhere else.
    -----Mesaj original-----
    De la: <> În
    numele Anand Kumar
    Trimis: Tuesday, March 6, 2018 1:21 AM
    Subiect: [ovs-dev] [PATCH] datapath-windows: Do not drop Ip fragments less
    Previously ipfragment module would drop any fragments less than
    MIN_FRAGMENT_SIZE (400 bytes), which was added to safeguard against the
    vulnerability CVE-2000-0305. This check is incorrect, since minimum size of
    the Ipfragment is 68 bytes (i.e. max length of Ip Header + 8 bytes of
    L4 header). So Ip fragments less than MIN_FRAGMENT_SIZE (400 bytes) is not
    guranted to be malformed or illegal.
    To guard against security vulnerability CVE-2000-0305, for a given ip
    datagram, ipfragments should be dropped only when number of smallest
    fragments recieved reaches a certain threshold.
    Signed-off-by: Anand Kumar <>
     datapath-windows/ovsext/IpFragment.c | 5 +----
     1 file changed, 1 insertion(+), 4 deletions(-)
    diff --git a/datapath-windows/ovsext/IpFragment.c
    index 3d5277a..da9d33a 100644
    --- a/datapath-windows/ovsext/IpFragment.c
    +++ b/datapath-windows/ovsext/IpFragment.c
    @@ -275,10 +275,7 @@ OvsProcessIpv4Fragment(POVS_SWITCH_CONTEXT
         offset = ntohs(ipHdr->frag_off) & IP_OFFSET;
         offset <<= 3;
         flags = ntohs(ipHdr->frag_off) & IP_MF;
    -    /* Only the last fragment can be of smaller size.*/
    -    if (flags && ntohs(ipHdr->tot_len) < MIN_FRAGMENT_SIZE) {
    -        return NDIS_STATUS_INVALID_LENGTH;
    -    }
         /*Copy fragment specific fields. */
         fragKey.protocol = ipHdr->protocol; = ipHdr->id;
    dev mailing list

dev mailing list

Reply via email to