From 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Thu, 16 May 2019 14:35:46 +0200
Subject: reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime

Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 src/vnet/ip/ip.api | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/vnet/ip/ip.api')

diff --git a/src/vnet/ip/ip.api b/src/vnet/ip/ip.api
index 39d394f709d..afb0960c78a 100644
--- a/src/vnet/ip/ip.api
+++ b/src/vnet/ip/ip.api
@@ -20,7 +20,7 @@
     called through a shared memory interface. 
 */
 
-option version = "2.0.0";
+option version = "2.0.1";
 import "vnet/ip/ip_types.api";
 import "vnet/fib/fib_types.api";
 import "vnet/ethernet/ethernet_types.api";
@@ -1085,6 +1085,7 @@ autoreply define ip_reassembly_set
   u32 context;
   u32 timeout_ms;
   u32 max_reassemblies;
+  u32 max_reassembly_length;
   u32 expire_walk_interval_ms;
   u8 is_ip6;
 };
@@ -1102,6 +1103,7 @@ define ip_reassembly_get_reply
   i32 retval;
   u32 timeout_ms;
   u32 max_reassemblies;
+  u32 max_reassembly_length;
   u32 expire_walk_interval_ms;
   u8 is_ip6;
 };
-- 
cgit 1.2.3-korg