On Mon, Nov 21, 2016 at 10:58:43AM +0100, Alexander Bluhm wrote:
> On Fri, Nov 18, 2016 at 11:33:33PM +0100, Alexandr Nedvedicky wrote:
> > how about using 'goto free_ipv6_frag' ? It better explains, what's
> > going to happen.
>
> makes sense
thanks a lot, I'm O.K. with it.
regards
On Fri, Nov 18, 2016 at 11:33:33PM +0100, Alexandr Nedvedicky wrote:
> how about using 'goto free_ipv6_frag' ? It better explains, what's
> going to happen.
makes sense
bluhm
Index: net/pf_norm.c
===
RCS file:
Hello,
> more strictly here. Drop the whole fragment state if IPv6 fragments
> appear which have invalid length, fragment-offset or more-fragment-bit.
I like the idea being strict here. I don't like 'goto overlap_fragment'.
the 'overlap_fragment' as a name of jump target is bit
Hi,
In his talk in 2013 Antonios Atlasis found other places where we
do not drop the whole state together with overlapping IPv6 fragments.
https://www.troopers.de/wp-content/uploads/2013/01/TROOPERS13-Fragmentation_Overlapping_Attacks_Against_IPv6_One_Year_Later-Antonios_Atlasis.pdf
When I