reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
author: Klement Sekera <ksekera@cisco.com> 2019-05-16 14:35:46 +0200
committer: Ole Trøan <otroan@employees.org> 2019-05-20 12:13:11 +0000
commit: 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch)
tree: ba831c36c69365d67a2d20d7a6d447b831a1b88e /src/vnet/ip/ip_api.c
parent: b388e1a50603a07e20007141221ca4f4a18ab698 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/vnet/ip/ip_api.c b/src/vnet/ip/ip_api.c
index ce3456d77d9..5a6053d1f42 100644
--- a/src/vnet/ip/ip_api.c
+++ b/src/vnet/ip/ip_api.c
@@ -3328,12 +3328,14 @@ vl_api_ip_reassembly_set_t_handler (vl_api_ip_reassembly_set_t * mp)
     {
       rv = ip6_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
 			  clib_net_to_host_u32 (mp->max_reassemblies),
+			  clib_net_to_host_u32 (mp->max_reassembly_length),
 			  clib_net_to_host_u32 (mp->expire_walk_interval_ms));
     }
   else
     {
       rv = ip4_reass_set (clib_net_to_host_u32 (mp->timeout_ms),
 			  clib_net_to_host_u32 (mp->max_reassemblies),
+			  clib_net_to_host_u32 (mp->max_reassembly_length),
 			  clib_net_to_host_u32 (mp->expire_walk_interval_ms));
     }
 
@@ -3364,6 +3366,7 @@ vl_api_ip_reassembly_get_t_handler (vl_api_ip_reassembly_get_t * mp)
     {
       rmp->is_ip6 = 0;
       ip4_reass_get (&rmp->timeout_ms, &rmp->max_reassemblies,
+		     &rmp->max_reassembly_length,
 		     &rmp->expire_walk_interval_ms);
     }
   rmp->timeout_ms = clib_host_to_net_u32 (rmp->timeout_ms);
author	Klement Sekera <ksekera@cisco.com>	2019-05-16 14:35:46 +0200
committer	Ole Trøan <otroan@employees.org>	2019-05-20 12:13:11 +0000
commit	3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch)
tree	ba831c36c69365d67a2d20d7a6d447b831a1b88e /src/vnet/ip/ip_api.c
parent	b388e1a50603a07e20007141221ca4f4a18ab698 (diff)